#rev 2020-09-09 bonaccos <> = SSH Fingerprints Website = If you're connecting the first time to a SSH Server you will get an alert message. The fingerprint should also be shown right below the message. Key point is that you '''always need''' to verify the fingerprint of the remote server before proceeding with the first login. == Linux == {{attachment:linux.jpg}} /!\ Be aware that the "." (dot) at the end of the fingerprint is not part of the key fingerprint. == Windows == {{attachment:alert.jpg}} == The website == You can check if the fingerprint is correct trough a second (secured/trusted) channel on this website (https://ssh-fingerprints.ee.ethz.ch/) for ISG D-ITET managed hosts. The website contains the SSH fingerprints of every SSH server ISG D-ITET manage. Type in the hostname you want to connect to into the search bar on the top right corner of the website. The host with its fingerprint should now be shown in the table. Compare the fingerprint with the alert message. If it's the same fingerprint as shown then you can accept to trust the server and proceed. On the top left there is a button to show or hide the SSH-Keys. These keys are saved in a file so the system can be authenticated as a "known host". Upon clicking "Yes" on your first connection to a server, the connection will be saved in that file. There may be more than one ssh-key for one host. ssh-ed25519 has stronger encryption than ssh-rsa, but it might not yet be supported by your SSH client. The website prints for every the fingerprint hash with MD5 and SHA256. By default nowdays Linux SSH clients uses/print the SHA256 fingerprint hash, on Windows only a MD5 fingerprint hash. == Example for bad connection == {{attachment:compare.png}} As you can see the name and the IP address is the same but the SSH key is not. You should not only check the hostname and IP address but most importantly the fingerprint. If you come across this case please '''under no circumstances''' type yes. '''Instead contact us immediately''' at . == Example for correct connection == {{attachment:yes.png}} If the hostname, the IP address and especially the fingerprint matches with the one from our website then you can safely enter yes.