16 ultimate SSH hacks
So you think you know OpenSSH inside and out? Test your chops against this hit parade of 16 expert tips and tricks.
By Carla Schroder
March 26, 2012 — IDG News Service — So you think you know OpenSSH inside and out? Test your chops against this hit parade of 16 expert tips and tricks, from identifying monkey-in-the-middle attacks to road warrior security to attaching remote screen sessions. Follow the countdown to the all-time best OpenSSH command!
SSH tips #16-14:Detecting MITM attacks
When you log into a remote computer for the first time, you are asked if you want to accept the remote host's public key. Well how in the heck do you know if you should or not? If someone perpetrated a successful monkey-in-the-middle attack, and is presenting you with a fake key so they can hijack your session and steal all your secrets, how are you supposed to know? You can know, because when new key pairs are created they also create a unique fingerprint and randomart image:
$ ssh-keygen -t rsa -C newserver -f .ssh/newkey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh/newkey.
Your public key has been saved in .ssh/newkey.pub.
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
|oo +.o. |
|. = B o. |
| E X + . |
| B B .. |
| . * o S |
| . |
SSH tip #16: Retrieve the fingerprint and randomart image of an SSH key
If you make a copy of this when you create new encryption keys, then you can fetch a key's fingerprint and randomart image anytime to compare and make sure they have not changed:
$ ssh-keygen -lvf keyname
SSH tip #15: View all fingerprints and randomart images in known_hosts
And you can see all of them in your
$ ssh-keygen -lvf ~/.ssh/known_hosts
SSH tip #14: Verify server keys
You can see the fingerprint and randomart for any computer you're logging into by configuring /etc/ssh/ssh_config on your client computer. Simply uncomment the VisualHostKey option and set it to yes:
Then login to any remote computer to test it:
$ ssh user@host2
Host key fingerprint is 66:a1:2a:23:4d:5c:8b:58:e7:ef:2f:e5:49:3b:3d:32
| . o . |
| + = . . . |
|. + o . S |
| o o oo |
|. + . .+ + |
| . o .. E o |
| .o.+ . |
Obviously you need a secure method of getting verified copies of the fingerprint and randomart images for the computers you want to log into. Like a hand-delivered printed copy, encrypted email, the scpcommand, secure ftp, read over the telephone...The risk of a successful MITM attack is small, but if you can figure out a relatively painless verification method it's cheap insurance.