11.2.7 Verifying the Host Public Key

Each SSH server has a different host key pair so that SSH client can see SSH server. On SSH client side, when connecting to SSH server for the first time or when the host public key is changed, a message is displayed to confirm the fingerprint of that server. In this case, it is possible to connect more safely by obtaining the fingerprint (or host public key) of the connection destination server in advance and visually checking it at the time of connection.

You can use show ssh hostkey commandto see SSHv1/SSHv2's host-public key and its fingerprint.

Figure 11-14: Displaying the host public key
> show ssh hostkey Date 20XX/01/20 12:00:00 UTC ***** SSHv1 Hostkey *** 1024 65537 146987971773759596612099632123526290876813242218856178693006902279752499641505633273 74294515778228277627736937005824220192838922145093952246943786354524785835232009819519418410439 05657066855796690911797058967562169284131198788610748307323233604943076115695684771646338245359 75566336906750637684297547763208749 1024-bit rsa1 hostkey Fingerprint for key: SHA256:gblxC3SCNJsZfjaV5BC6rcckTR+B/hYYTEcBEQO00m8 MD5:c9:d5:c0:4f:1b:2e:ff:b7:2e:9d:c3:66:ed:93:d3:4e *** SSHv2 DSA Hostkey *** ssh-dss AAAAB3NzaC1kc3MAAACBAJenC0V9Xr8ahylD8fqpiAIYGwpjoRqDosb9udd/bDkxicU5YAhwsKktXvh5lPI+GDL 0JVB5hHOVmVCH45PAcoAx+xrEvL2wjoghhLVzDbTfyCCtehxvfcsVxoJSBhGggtWTmllytogGvE3us2vCgEybau8qIpUy+B iA7ONunIDpAAAAFQDz1v9c2U8Eh5xNCApzCFL2ez48gwAAAIAOeAgtPewuIHY1Q3z00SawBa2xWrLxly4WcFrzfAja9GIRp /+s3iJLu/6UZ5nyMyjSF10KAZUzFSG+HteGE/pLB1c+r4B2okzZVH1R7tnst/LAoDg3fQObTF74+j7cGMIwgE0i1E8hciHq 9NmQ9RBe2uBxsej8crzXDTpljfP/gQAAAIB3IWnKpTSvI4Rs49ItzGY+SS5DfkSy+BKB1VFB1xoUr/DYFpT4Q4kA3RTuPFx pjElEIIUP5/+WET/iJSBizyfpwM/lairBhWtSNyOcjeWLD9eYVhw1HqexjQLl8BvTFQtICWWvsviYgNGUGfwTH0RZ6B5HKK O5IVs6bh2VVHoq2A== 1024-bit dsa hostkey Fingerprint for key: SHA256:EH9axeEZO+hj5qzBRqx4fgyncb/J5BN4DffD/my9tN8 MD5:21:b9:aa:78:66:df:02:67:01:48:86:88:cb:31:c4:da *** SSHv2 RSA Hostkey *** ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQ0re6puJtq2gqvyZwzWVqlJgxPuXo7EphTgysp4av+LaGYdiU2jYoQ66 Eo4759z4fZQ/yHtXJicaDMvIz3iNbBQTr01x4F/5m1oR5UJS7XHfhqc5pGNLKglEaIZo8dJkKOo72xI1HERY11ICobKshhW HpGP95WmrRIdxBGUDZKBIk8iW0CeS5duMksrL9O0LMLf1+NXkELmJBT/npMkHiZHBPJcKn1kPRiq5X8igO3THLKeYcPUzOP OkUAUrIDT42s8oJG2FkwO6CIewQcGK9zkCcqKPyFyZahDI8OvwZ05o7VOQb3/sLNiFZfQlRqoGxpiGvNZae76Hb6kS3+cOJ +Yyu/Tbz5kKK0Bz70dxb+4DqClV7yYfquiTdues6hOO8+KAUttNf/w3PNSyjFUFyRxcEDENvxDDq11/gA78VXWitre1ZMin 9ybsSEZGzIS7OzDd0I5/AosKcYNWGkLRrBdGFcB5mJ/9haTALMOWsyxbF3RjXMvcCWVUpxbGKuqs= 3072-bit rsa host key Fingerprint for key: SHA256:lnaICZdvjFnmZoRCum+XblmhEmcilZhq15w4W8R3vOg MD5:81:48:0e:52:a6:7f:64:d8:29:57:e8:fb:4b:34:bb:a0 *** SSHv2 ECDSA Hostkey ***** ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNLBG8RhJwOBU8Z/e+c1wz6 qwZP+IHXM6iUINja2EMOi947VPI8/CA7ZK2INnUW7lXaqkeu6LihUN68wwz8Gisgx9sAPthB3VkNqBEsvKjxk2aSC1/neyg mD5H/5Wo9Q6A== 384-bit ecdsa hostkey Fingerprint for key: SHA256:rnuan5fOrHpNP8IVbZgKNt+t+x/EVTxWKF3tF2CMRA0 MD5:69:5f:70:c3:a0:09:91:e8:70:12:fe:c5:52:21:fe:19 >

Figure 11-14: Displaying the host public key

> show ssh hostkey
Date 20XX/01/20 12:00:00 UTC
******* SSHv1 Hostkey *******
1024 65537 146987971773759596612099632123526290876813242218856178693006902279752499641505633273
74294515778228277627736937005824220192838922145093952246943786354524785835232009819519418410439
05657066855796690911797058967562169284131198788610748307323233604943076115695684771646338245359
75566336906750637684297547763208749 1024-bit rsa1 hostkey
 
Fingerprint for key:
SHA256:gblxC3SCNJsZfjaV5BC6rcckTR+B/hYYTEcBEQO00m8
MD5:c9:d5:c0:4f:1b:2e:ff:b7:2e:9d:c3:66:ed:93:d3:4e
 
******* SSHv2 DSA Hostkey *******
ssh-dss AAAAB3NzaC1kc3MAAACBAJenC0V9Xr8ahylD8fqpiAIYGwpjoRqDosb9udd/bDkxicU5YAhwsKktXvh5lPI+GDL
0JVB5hHOVmVCH45PAcoAx+xrEvL2wjoghhLVzDbTfyCCtehxvfcsVxoJSBhGggtWTmllytogGvE3us2vCgEybau8qIpUy+B
iA7ONunIDpAAAAFQDz1v9c2U8Eh5xNCApzCFL2ez48gwAAAIAOeAgtPewuIHY1Q3z00SawBa2xWrLxly4WcFrzfAja9GIRp
/+s3iJLu/6UZ5nyMyjSF10KAZUzFSG+HteGE/pLB1c+r4B2okzZVH1R7tnst/LAoDg3fQObTF74+j7cGMIwgE0i1E8hciHq
9NmQ9RBe2uBxsej8crzXDTpljfP/gQAAAIB3IWnKpTSvI4Rs49ItzGY+SS5DfkSy+BKB1VFB1xoUr/DYFpT4Q4kA3RTuPFx
pjElEIIUP5/+WET/iJSBizyfpwM/lairBhWtSNyOcjeWLD9eYVhw1HqexjQLl8BvTFQtICWWvsviYgNGUGfwTH0RZ6B5HKK
O5IVs6bh2VVHoq2A== 1024-bit dsa hostkey
 
Fingerprint for key:
SHA256:EH9axeEZO+hj5qzBRqx4fgyncb/J5BN4DffD/my9tN8
MD5:21:b9:aa:78:66:df:02:67:01:48:86:88:cb:31:c4:da
 
******* SSHv2 RSA Hostkey *******
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQ0re6puJtq2gqvyZwzWVqlJgxPuXo7EphTgysp4av+LaGYdiU2jYoQ66
Eo4759z4fZQ/yHtXJicaDMvIz3iNbBQTr01x4F/5m1oR5UJS7XHfhqc5pGNLKglEaIZo8dJkKOo72xI1HERY11ICobKshhW
HpGP95WmrRIdxBGUDZKBIk8iW0CeS5duMksrL9O0LMLf1+NXkELmJBT/npMkHiZHBPJcKn1kPRiq5X8igO3THLKeYcPUzOP
OkUAUrIDT42s8oJG2FkwO6CIewQcGK9zkCcqKPyFyZahDI8OvwZ05o7VOQb3/sLNiFZfQlRqoGxpiGvNZae76Hb6kS3+cOJ
+Yyu/Tbz5kKK0Bz70dxb+4DqClV7yYfquiTdues6hOO8+KAUttNf/w3PNSyjFUFyRxcEDENvxDDq11/gA78VXWitre1ZMin
9ybsSEZGzIS7OzDd0I5/AosKcYNWGkLRrBdGFcB5mJ/9haTALMOWsyxbF3RjXMvcCWVUpxbGKuqs= 3072-bit rsa host
key
 
Fingerprint for key:
SHA256:lnaICZdvjFnmZoRCum+XblmhEmcilZhq15w4W8R3vOg
MD5:81:48:0e:52:a6:7f:64:d8:29:57:e8:fb:4b:34:bb:a0
 
******* SSHv2 ECDSA Hostkey *******
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNLBG8RhJwOBU8Z/e+c1wz6
qwZP+IHXM6iUINja2EMOi947VPI8/CA7ZK2INnUW7lXaqkeu6LihUN68wwz8Gisgx9sAPthB3VkNqBEsvKjxk2aSC1/neyg
mD5H/5Wo9Q6A== 384-bit ecdsa hostkey
 
Fingerprint for key:
SHA256:rnuan5fOrHpNP8IVbZgKNt+t+x/EVTxWKF3tF2CMRA0
MD5:69:5f:70:c3:a0:09:91:e8:70:12:fe:c5:52:21:fe:19
 
>