Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   ssh    ( 1 )

клиент удаленного входа OpenSSH (OpenSSH remote login client)

VERIFYING HOST KEYS

When connecting to a server for the first time, a fingerprint of
     the server's public key is presented to the user (unless the option
     StrictHostKeyChecking has been disabled).  Fingerprints can be
     determined using ssh-keygen(1):


           $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key


     If the fingerprint is already known, it can be matched and the key
     can be accepted or rejected.  If only legacy (MD5) fingerprints for
     the server are available, the ssh-keygen(1) -E option may be used
     to downgrade the fingerprint algorithm to match.


     Because of the difficulty of comparing host keys just by looking at
     fingerprint strings, there is also support to compare host keys
     visually, using random art.  By setting the VisualHostKey option to
     'yes', a small ASCII graphic gets displayed on every login to a
     server, no matter if the session itself is interactive or not.  By
     learning the pattern a known server produces, a user can easily
     find out that the host key has changed when a completely different
     pattern is displayed.  Because these patterns are not unambiguous
     however, a pattern that looks similar to the pattern remembered
     only gives a good probability that the host key is the same, not
     guaranteed proof.


     To get a listing of the fingerprints along with their random art
     for all known hosts, the following command line can be used:


           $ ssh-keygen -lv -f ~/.ssh/known_hosts


     If the fingerprint is unknown, an alternative method of
     verification is available: SSH fingerprints verified by DNS.  An
     additional resource record (RR), SSHFP, is added to a zonefile and
     the connecting client is able to match the fingerprint with that of
     the key presented.


     In this example, we are connecting a client to a server,
     'host.example.com'.  The SSHFP resource records should first be
     added to the zonefile for host.example.com:


           $ ssh-keygen -r host.example.com.


     The output lines will have to be added to the zonefile.  To check
     that the zone is answering fingerprint queries:


           $ dig -t SSHFP host.example.com


     Finally the client connects:


           $ ssh -o "VerifyHostKeyDNS ask" host.example.com
           [...]
           Matching host key fingerprint found in DNS.
           Are you sure you want to continue connecting (yes/no)?


     See the VerifyHostKeyDNS option in ssh_config(5) for more
     information.