SSH visual host keys

Submitted by gwolf on Thu, 10/30/2008 - 18:14

Via Kees Cook (and sorry for the reiteration for people following along Planet Debian, thanks to Caspar Clemens: Recent (>= 5.1) versions of OpenSSH (found at least in Debian Lenny and Ubuntu Intrepid), have the VisualHostKey option. What does it do?

$ ssh -o VisualHostKey=yes 172.16.10.1
Host key fingerprint is db:7a:d8:a8:2e:41:a2:e5:51:e1:7f:d0:73:bd:85:bf
+--[ RSA 2048]----+
|    ..           |
|   ..  .   . .   |
|   .. . o . o .  |
|  + .. . o   +   |
| + +  . S   . .  |
|. . .  . o     . |
|     .  .+.   E  |
|    .   o.o      |
|     oo...       |
+-----------------+

Linux respaldos.local.iiec 2.6.26-1-vserver-amd64 #1 SMP Wed Oct 1 13:08:10 UTC 2008 x86_64

What does this mean? This ASCII-art graph represents your host's public key, which uniquely identifies (or at least, it better damn should uniquely identify!) it. This representation was added mainly because it is way easier to be able to visually record the shape of your most frequently used hosts' IDs than their fingerprint. If you connect from a foreign or untrusted machine (i.e. one that does not yet know your host's identity), make sure to run with this switch - it will protect you from somebody supplanting your server's identity.
Besides, it adds to the general kewlness factor, doesn't it? ;-)
To enable this behaviour by default, add the following to your /etc/ssh/ssh_config (or to your personal .ssh/config):

Host * 
  VisualHostKey yes

Now... What about publishing the list of the 32767 known-bad SSH keys? That'd make for a nice ASCII-art exhibit :-}

( categories: )
Anonymous's picture

Strictly speaking...

Submitted by Joachim Breitner (not verified) on Fri, 10/31/2008 - 03:59.

„If you connect from a foreign or untrusted machine...“ – if the machine you connect from is untrusted, then it does not add much theoretical security (as the ssh binary could be modified). Correct would be „if you connect from a trusted machine on an untrusted network to your server for the first time...“. But practically, of course you are right.

BTW, your ASCII captcha is broken here (no mono font, or no fallback in the font specification).

Anonymous's picture

But where is the "@"?

Submitted by Anonymous (not verified) on Mon, 11/03/2008 - 12:51.

But where is the "@"?

gwolf's picture

Not everything in life...

Submitted by gwolf on Mon, 11/03/2008 - 17:12.

is a nethack game!

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <br> <b> <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <img> <h1> <h2> <h3> <tt> <pre> <strike> <table> <tr> <th> <td>
  • Lines and paragraphs break automatically.
  • Use <bib>citekey</bib> or [bib]citekey[/bib] to insert automatically numbered references.
  • Use [fn]...[/fn] (or <fn>...</fn>) to insert automatically numbered footnotes.
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>. The supported tag styles are: <foo>, [foo].

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.