If you have used SSH at all, you are likely to have bumped into a warning message when accessing a new host for the first time. This is because unlike with HTTPS, there is no central list of which public keys belong to which hosts (or rather, which entities should be trusted to make those connections). For example, if you access www.google.com over HTTPS in a browser, then your browser does the equivalent of downloading a public key from that host, and a certificate saying that this really is Google’s public key. This certificate itself has to be checked cryptographically, but it will have been created by one of the few central trusted points for handing out certificates, and your browser will be pre-loaded with a list of these trusted points.
As SSH clients don’t tend to have pre-loaded lists like this, you are left to make the judgement yourself about whether a given SSH public (host) key belongs to a given host. One way to do this is by comparing the key’s fingerprint (which is presented in the warning message) with another copy of that fingerprint retrieved over a different medium, preferably a trusted one, such as in person. To give someone the information needed to check these fingerprint warnings, you might think of sending them a known_hosts file, which contains a list of hosts and cryptographic data about their public keys, but unfortunately this cryptographic data isn’t stored in the same format as fingerprints. Where there’s a will, there’s a script, though, and so I detail below what can be done.
Continue reading "known_hosts and key fingerprints"
