Differences between revisions 50 and 51
Revision 50 as of 2020-09-09 11:38:45
Size: 2177
Editor: bonaccos
Comment:
Revision 51 as of 2020-09-09 11:42:18
Size: 2299
Editor: bonaccos
Comment:
Deletions are marked like this. Additions are marked like this.
Line 18: Line 18:
You can check if the fingerprint is correct with this website (https://ssh-fingerprints.ee.ethz.ch/).
Line 20: Line 19:
The website contains the SSH fingerprints of every SSH server we manage. You can check if the fingerprint is correct trough a second (secured/trusted) channel on this website (https://ssh-fingerprints.ee.ethz.ch/) for ISG.EE managed hosts.

The website contains the SSH fingerprints of every SSH server ISG.EE manage.
Line 23: Line 24:
Line 24: Line 26:
Line 25: Line 28:
If it's the same fingerprint as shown then you can safely trust the connection.
If it's the same fingerprint as shown then you can accept to trust the server and proceed.
Line 29: Line 33:
There may be more than one ssh-key for one host. ssh-ed25519 has stronger encryption than ssh-rsa but ist not yet widely supported. There may be more than one ssh-key for one host. ssh-ed25519 has stronger encryption than ssh-rsa, but it might not yet be supported by your SSH client.
Line 31: Line 35:
There also is a md5 and SHA256 version of every key. Windows uses the md5 and Linux the SHA256 one. There also is a md5 and SHA256 version of every key. Windows uses the md5 and Linux the SHA256 one (as default).
Line 38: Line 42:
As you can see the name and the IP address is the same but the ssh key is not. You should not only check the hostname and IP address but most importantly the fingerprint. As you can see the name and the IP address is the same but the SSH key is not. You should not only check the hostname and IP address but most importantly the fingerprint.

SSH Fingerprints Website

If you're connecting the first time to a SSH Server you will get an alert message. The fingerprint should also be shown right below the message. Key point is that you always need to verify the fingerprint of the remote server before proceeding with the first login.

Linux

linux.jpg

/!\ Be aware that the "." (dot) at the end of the fingerprint is not part of the key fingerprint.

Windows

alert.jpg

The website

You can check if the fingerprint is correct trough a second (secured/trusted) channel on this website (https://ssh-fingerprints.ee.ethz.ch/) for ISG.EE managed hosts.

The website contains the SSH fingerprints of every SSH server ISG.EE manage.

Type in the hostname you want to connect to into the search bar on the top right corner of the website.

The host with its fingerprint should now be shown in the table.

Compare the fingerprint with the alert message.

If it's the same fingerprint as shown then you can accept to trust the server and proceed.

On the top left there is a button to show or hide the SSH-Keys. These keys are saved in a file so the system can be authenticated as a "known host". Upon clicking "Yes" on your first connection to a server, the connection will be saved in that file.

There may be more than one ssh-key for one host. ssh-ed25519 has stronger encryption than ssh-rsa, but it might not yet be supported by your SSH client.

There also is a md5 and SHA256 version of every key. Windows uses the md5 and Linux the SHA256 one (as default).

The part "MD5:" ist not part of the key used for Windows.

Example for bad connection

compare.png

As you can see the name and the IP address is the same but the SSH key is not. You should not only check the hostname and IP address but most importantly the fingerprint.

If you come across this case please under no circumstances type yes. Instead contact us immediately at <support@ee.ethz.ch>.

Example for correct connection

yes.png

If the hostname, the IP address and especially the fingerprint matches with the one from our website then you can safely enter yes.

SshFingerprints (last edited 2020-09-09 11:45:20 by bonaccos)