SSH Hostkey & SSH fingerprint

下述引用解释了如下几个问题:

  1. 什么是 SSH Hostkey 和 SSH fingerprint
  2. SSH Hostkey 或 fingerprint 存在的意义是什么
  3. SSH Hostkey 或 fingerprint 为什么可以用来唯一标示一个或一类(统一配置)主机

When you make a SSH session, two different key pairs (with a fingerprint for each pair) are involved. One is the user's key which is stored in ~/.ssh. The user's SSH key identity is sometimes used as credentials to login to another computer (if you have set up key based login).

The other is the SSH server's key. This is the key you see the fingerprint for when you connect to a different server for the first time. This key's identity is used to make sure you are logging in to the SSH server you intend to. This is important if you are using passwords because you wouldn't want to accidentally try to login to an attackers machine: the attacker would get your password when you typed it in. Then the attacker could login to the machine you thought you were logging in to! (this is known as a "man in the middle attack") The keys a SSH server uses to identify itself when you login to it are located in /etc/ssh/ and usually named something like ssh_host_rsa_key.

You can actually change where the SSH server looks for the key in the /etc/ssh/sshd_config file with the HostKey /path/to/host/key setting.

By default, ssh-keygen will create a key for the current user, which, by default, will be stored in ~/.ssh. The format of a user key and a server key is the same; the difference is where they are placed and whether /etc/ssh/sshd_config has a HostKey directive pointing to them. When you install the openssh-server package, it automatically generates keys for the server to use. That is where the keys with the unknown fingerprint came from. If you want to see the fingerprint of the SSH server's (RSA*) key, you could run ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub.

There are different encryption algorithms. Each one uses a different key. Common ones are DSA (weak), RSA (old default), and ECDSA (new default).

你可能感兴趣的:(SSH Hostkey & SSH fingerprint)