I work on Windows 10.
I PuTTY ssh into physical:CentOS7, virtualbox:CentOS6,7 & Ubuntu 16.
On 1st ssh FROM Win TO vb:Ubuntu & I get the regular ole server/fingerprint not a known host popup. No big deal. But I wondered: how could I confirm there's no "man in the middle" ?
Simplest case: I'm sitting in front of the target (called 'local' from here on) and check its fingerprint directly.
Turns out: trying to local view the public machine key fingerprint using ssh-keygen -lf <filename> (file: /etc/ssh/ssh_host_rsa_key.pub) on the Ubuntu 16 gave me a fingerprint I couldn't match against any warning from a remote ssh.
By anywhere, I mean that:
- the string
"2048 SHA256:NPAUL **** 4QQ [email protected] (RSA)"is not what appears in the PuTTy popup and when I copy the pub key file to CentOS6 or 7 and run
ssh-keygen -l -fagainst it, they match each other but not the one from runningssh-keygenlocally on Ubuntu (like, the implementations differ).2a. doing the
scpwas just a way I thought I might test things out.
The nut of the question is: how can I confirm the fingerprint ssh ui shows me is correct before I tell it 'yes' I'll accept it?
Local view of fingerprint (approx): "2048 SHA256:NPAULv10 **** lic4QQ [email protected] (RSA)"
Remote view of fingerprint (using Win PuTTy): "The new rsa2 key fingerprint is: ssh-rsa 2048 ce:e9:43 **** :cb"
Remote view of fingerprint (using CentOS6&7 terminal): "2048 ce:e9:43 **** :cb" filename (RSA)
Note:
- The remotely viewed fingerprint has colons in it.
- The bubblebabble digests (from
-B) are match but they aren't fingerprints. - local
ssh-keygen -lfon/etc/ssh*.pub(i.e.: *dsa_key.pub, *ecdsa_key.pub, *ed25519_key.pub & *rsa_key.pub) didn't output a match for the fingerprint seen remotely either. - I've overlookedly something probably, I did check the std man pages, ubuntu docs ... don't know what I'm missing.
