主页 / unix / 问题 / 408338
Accepted
Ned64
Asked: 2017-12-03 01:22:38 +0800 CST

如何比较不同的 SSH 指纹(公钥哈希)格式?

  • 772

当我登录到 SSH 服务器/主机时,我会被询问其公钥的哈希值是否正确,如下所示:

# ssh 1.2.3.4
The authenticity of host '[1.2.3.4]:22 ([[1.2.3.4]:22)' can't be established.
RSA key fingerprint is SHA256:CxIuAEc3SZThY9XobrjJIHN61OTItAU0Emz0v/+15wY.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.

为了能够比较,我之前在 SSH 服务器上使用了这个命令,并将结果保存到客户端的一个文件中:

# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
2048 f6:bf:4d:d4:bd:d6:f3:da:29:a3:c3:42:96:26:4a:41 /etc/ssh/ssh_host_rsa_key.pub (RSA)

出于某种重要原因(毫无疑问),其中一个命令使用了一种不同的(更新的?)显示哈希的方式,从而极大地帮助了中间人攻击者,因为它需要一个重要的转换来比较这些。

如何比较这两个哈希值,或者更好:强制一个命令使用另一个命令的格式?

-E选项ssh-keygen在服务器上不可用。

sshd ssh

2 个回答

  1. Best Answer

    SSH

    # ssh -o "FingerprintHash sha256" testhost
The authenticity of host 'testhost (256.257.258.259)' can't be established.
ECDSA key fingerprint is SHA256:pYYzsM9jP1Gwn1K9xXjKL2t0HLrasCxBQdvg/mNkuLg.

# ssh -o "FingerprintHash md5" testhost
The authenticity of host 'testhost (256.257.258.259)' can't be established.
ECDSA key fingerprint is MD5:de:31:72:30:d0:e2:72:5b:5a:1c:b8:39:bf:57:d6:4a.

    ssh-keyscan & ssh-keygen

    另一种方法是将公钥下载到同时支持 MD5 和 SHA256 哈希的系统:

    # ssh-keyscan testhost >testhost.ssh-keyscan

# cat testhost.ssh-keyscan
testhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItb...
testhost ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0U...
testhost ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKHh...

# ssh-keygen -lf testhost.ssh-keyscan -E sha256
256 SHA256:pYYzsM9jP1Gwn1K9xXjKL2t0HLrasCxBQdvg/mNkuLg testhost (ECDSA)
2048 SHA256:bj+7fjKSRldiv1LXOCTudb6piun2G01LYwq/OMToWSs testhost (RSA)
256 SHA256:hZ4KFg6D+99tO3xRyl5HpA8XymkGuEPDVyoszIw3Uko testhost (ED25519)

# ssh-keygen -lf testhost.ssh-keyscan -E md5
256 MD5:de:31:72:30:d0:e2:72:5b:5a:1c:b8:39:bf:57:d6:4a testhost (ECDSA)
2048 MD5:d5:6b:eb:71:7b:2e:b8:85:7f:e1:56:f3:be:49:3d:2e testhost (RSA)
256 MD5:e6:16:94:b5:16:19:40:41:26:e9:f8:f5:f7:e7:04:03 testhost (ED25519)
    • 25

  2. 仅回答如何查看本地密钥,这在其他答案中也可见,但可能会被遗漏。至少在 Ubuntu 19.04 版本上,SHA256 是 ssh-keygen 的默认格式:

    $ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 SHA256:CxIuAEc3SZThY9XobrjJIHN61OTItAU0Emz0v/+15wY user@host (RSA)

    但是您当然可以明确指定 SHA256:

    $ ssh-keygen -lf ~/.ssh/id_rsa.pub -E sha256

    如果您想改为查看 MD5:

    $ssh-keygen -lf ~/.ssh/id_rsa.pub -E md5
2048 f6:bf:4d:d4:bd:d6:f3:da:29:a3:c3:42:96:26:4a:41 user@host (RSA)

    顺便说一句,这是 GitHub 曾经在您帐户上的 SSH 密钥列表中使用的格式。详情:$man ssh-keygen

    • 6

相关问题