Ssh
如何比較不同的 SSH 指紋(公鑰雜湊)格式?
當我登錄到 SSH 伺服器/主機時,我會被詢問其公鑰的雜湊值是否正確,如下所示:
# ssh 1.2.3.4 The authenticity of host '[1.2.3.4]:22 ([[1.2.3.4]:22)' can't be established. RSA key fingerprint is SHA256:CxIuAEc3SZThY9XobrjJIHN61OTItAU0Emz0v/+15wY. Are you sure you want to continue connecting (yes/no)? no Host key verification failed.為了能夠比較,我之前在 SSH 伺服器上使用了這個命令,並將結果保存到客戶端的一個文件中:
# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 2048 f6:bf:4d:d4:bd:d6:f3:da:29:a3:c3:42:96:26:4a:41 /etc/ssh/ssh_host_rsa_key.pub (RSA)出於某種重要原因(毫無疑問),其中一個命令使用了一種不同的(更新的?)顯示雜湊的方式,從而極大地幫助了中間人攻擊者,因為它需要一個重要的轉換來比較這些。
如何比較這兩個雜湊值,或者更好:強制一個命令使用另一個命令的格式?
該
-E選項ssh-keygen在伺服器上不可用。
SSH
# ssh -o "FingerprintHash sha256" testhost The authenticity of host 'testhost (256.257.258.259)' can't be established. ECDSA key fingerprint is SHA256:pYYzsM9jP1Gwn1K9xXjKL2t0HLrasCxBQdvg/mNkuLg. # ssh -o "FingerprintHash md5" testhost The authenticity of host 'testhost (256.257.258.259)' can't be established. ECDSA key fingerprint is MD5:de:31:72:30:d0:e2:72:5b:5a:1c:b8:39:bf:57:d6:4a.ssh-keyscan & ssh-keygen
另一種方法是將公鑰下載到同時支持 MD5 和 SHA256 雜湊的系統:
# ssh-keyscan testhost >testhost.ssh-keyscan # cat testhost.ssh-keyscan testhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItb... testhost ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0U... testhost ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKHh... # ssh-keygen -lf testhost.ssh-keyscan -E sha256 256 SHA256:pYYzsM9jP1Gwn1K9xXjKL2t0HLrasCxBQdvg/mNkuLg testhost (ECDSA) 2048 SHA256:bj+7fjKSRldiv1LXOCTudb6piun2G01LYwq/OMToWSs testhost (RSA) 256 SHA256:hZ4KFg6D+99tO3xRyl5HpA8XymkGuEPDVyoszIw3Uko testhost (ED25519) # ssh-keygen -lf testhost.ssh-keyscan -E md5 256 MD5:de:31:72:30:d0:e2:72:5b:5a:1c:b8:39:bf:57:d6:4a testhost (ECDSA) 2048 MD5:d5:6b:eb:71:7b:2e:b8:85:7f:e1:56:f3:be:49:3d:2e testhost (RSA) 256 MD5:e6:16:94:b5:16:19:40:41:26:e9:f8:f5:f7:e7:04:03 testhost (ED25519)