Search this site:

SSH visual host keys

Via Kees Cook (and sorry for the reiteration for people following along Planet Debian, thanks to Caspar Clemens: Recent (>= 5.1) versions of OpenSSH (found at least in Debian Lenny and Ubuntu Intrepid), have the VisualHostKey option. What does it do?

$ ssh -o VisualHostKey=yes
Host key fingerprint is db:7a:d8:a8:2e:41:a2:e5:51:e1:7f:d0:73:bd:85:bf
+--[ RSA 2048]----+
|    ..           |
|   ..  .   . .   |
|   .. . o . o .  |
|  + .. . o   +   |
| + +  . S   . .  |
|. . .  . o     . |
|     .  .+.   E  |
|    .   o.o      |
|     oo...       |

Linux respaldos.local.iiec 2.6.26-1-vserver-amd64 #1 SMP Wed Oct 1 13:08:10 UTC 2008 x86_64

What does this mean? This ASCII-art graph represents your host’s public key, which uniquely identifies (or at least, it better damn should uniquely identify!) it. This representation was added mainly because it is way easier to be able to visually record the shape of your most frequently used hosts’ IDs than their fingerprint. If you connect from a foreign or untrusted machine (i.e. one that does not yet know your host’s identity), make sure to run with this switch - it will protect you from somebody supplanting your server’s identity. Besides, it adds to the general kewlness factor, doesn’t it? ;-) To enable this behaviour by default, add the following to your /etc/ssh/ssh_config (or to your personal .ssh/config):

Host * 
  VisualHostKey yes

Now… What about publishing the list of the 32767 known-bad SSH keys? That’d make for a nice ASCII-art exhibit :-}


Anonymous 2008-11-03 09:51:25

But where is the “@”?

But where is the “@”?

gwolf 2008-11-03 14:12:16

Not everything in life…

is a nethack game!

Joachim Breitner 2008-10-31 01:59:29

Strictly speaking…

„If you connect from a foreign or untrusted machine…“ – if the machine you connect from is untrusted, then it does not add much theoretical security (as the ssh binary could be modified). Correct would be „if you connect from a trusted machine on an untrusted network to your server for the first time…“. But practically, of course you are right.

BTW, your ASCII captcha is broken here (no mono font, or no fallback in the font specification).