Differences between revisions 4 and 52 (spanning 48 versions)
Revision 4 as of 2018-06-26 14:02:22
Size: 856
Editor: misticat
Comment:
Revision 52 as of 2020-09-09 11:45:20
Size: 2313
Editor: bonaccos
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#rev 2020-09-09 bonaccos

<<TableOfContents(4)>>
Line 3: Line 7:
If you're connecting the first time to a SSH Server you will perhaps get an alert message.
If the message says: '' "The server's host key ist not cached in the registry. You have no gurantee that the server is the computer you think it is." '' it should also show you a fingerprint right below.
You can check if the fingerprint is correct with this website (https://ssh-fingerprints.ee.ethz.ch/).
{{atachment:alert.png||alighn="middle"}}
If you're connecting the first time to a SSH Server you will get an alert message. The fingerprint should also be shown right below the message. Key point is that you '''always need''' to verify the fingerprint of the remote server before proceeding with the first login.

== Linux ==
{{attachment:linux.jpg}}

/!\ Be aware that the "." (dot) at the end of the fingerprint is not part of the key fingerprint.

== Windows ==
{{attachment:alert.jpg}}

== The website ==

You can check if the fingerprint is correct trough a second (secured/trusted) channel on this website (https://ssh-fingerprints.ee.ethz.ch/) for ISG.EE managed hosts.

The website contains the SSH fingerprints of every SSH server ISG.EE manage.

Type in the hostname you want to connect to into the search bar on the top right corner of the website.

The host with its fingerprint should now be shown in the table.

Compare the fingerprint with the alert message.

If it's the same fingerprint as shown then you can accept to trust the server and proceed.

On the top left there is a button to show or hide the SSH-Keys. These keys are saved in a file so the system can be authenticated as a "known host". Upon clicking "Yes" on your first connection to a server, the connection will be saved in that file.

There may be more than one ssh-key for one host. ssh-ed25519 has stronger encryption than ssh-rsa, but it might not yet be supported by your SSH client.

The website prints for every the fingerprint hash with MD5 and SHA256. By default nowdays Linux SSH clients uses/print the SHA256 fingerprint hash, on Windows only a MD5 fingerprint hash.

== Example for bad connection ==
{{attachment:compare.png}}

As you can see the name and the IP address is the same but the SSH key is not. You should not only check the hostname and IP address but most importantly the fingerprint.

If you come across this case please '''under no circumstances''' type yes. '''Instead contact us immediately''' at <support@ee.ethz.ch>.
Line 9: Line 45:
The website contains the SSH fingerprints of every SSH server we manage.
Search or type in the hostname you want to connect to in the search bar on the top right corner of the website.
The host with its fingerprint should now be shown in the table.
Compare the fingerprint with the alert message.
If it's the same fingerprint as shown then can safely trust the connection.
== Example for correct connection ==
{{attachment:yes.png}}

If the hostname, the IP address and especially the fingerprint matches with the one from our website then you can safely enter yes.

SSH Fingerprints Website

If you're connecting the first time to a SSH Server you will get an alert message. The fingerprint should also be shown right below the message. Key point is that you always need to verify the fingerprint of the remote server before proceeding with the first login.

Linux

linux.jpg

/!\ Be aware that the "." (dot) at the end of the fingerprint is not part of the key fingerprint.

Windows

alert.jpg

The website

You can check if the fingerprint is correct trough a second (secured/trusted) channel on this website (https://ssh-fingerprints.ee.ethz.ch/) for ISG.EE managed hosts.

The website contains the SSH fingerprints of every SSH server ISG.EE manage.

Type in the hostname you want to connect to into the search bar on the top right corner of the website.

The host with its fingerprint should now be shown in the table.

Compare the fingerprint with the alert message.

If it's the same fingerprint as shown then you can accept to trust the server and proceed.

On the top left there is a button to show or hide the SSH-Keys. These keys are saved in a file so the system can be authenticated as a "known host". Upon clicking "Yes" on your first connection to a server, the connection will be saved in that file.

There may be more than one ssh-key for one host. ssh-ed25519 has stronger encryption than ssh-rsa, but it might not yet be supported by your SSH client.

The website prints for every the fingerprint hash with MD5 and SHA256. By default nowdays Linux SSH clients uses/print the SHA256 fingerprint hash, on Windows only a MD5 fingerprint hash.

Example for bad connection

compare.png

As you can see the name and the IP address is the same but the SSH key is not. You should not only check the hostname and IP address but most importantly the fingerprint.

If you come across this case please under no circumstances type yes. Instead contact us immediately at <support@ee.ethz.ch>.

Example for correct connection

yes.png

If the hostname, the IP address and especially the fingerprint matches with the one from our website then you can safely enter yes.

SshFingerprints (last edited 2023-10-16 13:35:16 by alders)