56

I looked in the man page for ssh, but I am still clueless. When you connect to the remote host using ssh it shows something like this:

ssh user@10.11.12.13
The authenticity of host '10.11.12.13 (10.11.12.13)' can't be established.
ECDSA key fingerprint is SHA256:CwrcHjdd9349u38rj392fr9j389rj3298rj23.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

As I understand:

  • Yes - connect and write the fingerprint in the known hosts file
  • No - do not connect (it shows "Host key verification failed.")

What is that 3rd option [fingerprint]?

Maris B.
  • 1,422

2 Answers2

89

This prompt allows you to paste the actual fingerprint as a response; ssh itself will compare it against the public key seen over the network. If both match, the answer is assumed to be yes.

(Of course, you're supposed to copy the fingerprint from a reasonably trusted source – not from the same confirmation message!)

In addition to being faster than manual comparison, this avoids "fuzzy fingerprint" attacks where the fake host­key has a fingerprint that is visually similar to the real one (as people often look only at the first and last few letters and skip the rest).

This feature was added in OpenSSH 8.0.

grawity
  • 501,077
3

To expand on @user1686's answer, at least for my ssh client (OpenSSH_9.0p1, LibreSSL 3.3.6 on Mac) the behavior when typing an incorrect key is confounding. Rather than presenting a message like "Keys don't match, exiting!" it just responds with "Please type 'yes', 'no' or the fingerprint:", leaving you to wonder if you have the right format...

It does accept the correct fingerprint, when entered as "{HASH_TYPE}:{HASH_FINGERPRINT}", e.g. SHA256:6IwH4s6MTcIsiC6vol79ODXqdFH1E3/qp/fQVj4jZ5q AND for the correct key type, negotiated earlier in the connection process.

Make sure you are checking the right key if the host has multiple types!

ebarrere
  • 171