SSH Fingerprint ASCII Visualization

OpenSSH Logo

OpenBSD is my favorite OS and one more time, it makes the difference! The latest OpenBSD CVS version introduces the “SSH Fingerprint ASCII Visualization“. What does it mean?

When you connect to remote host via SSH, your SSH client performs some checks on the server key. If it changed, you receive a prompt like the following:

$ ssh user@server.org
The authenticity of host 'server.org (10.0.0.1)' can't be \
established.
RSA key fingerprint is \
e4:4d:22:17:dd:bd:8a:6c:9a:00:42:bf:df:f9:b9:a1.
Are you sure you want to continue connecting (yes/no)?

The server key fingerprint is the hexadecimal string. What appends most of the time? You just answer “Yes”. It’s not your fault, the human brain is not optimized to remember long strings of characters. During the latest Hackathon, a developer (Alexander von Gernler) wrote some piece of code to display the server SSH fingerprints in plain ASCII (do you remember the ASCII Art?). Now, a connection to a server will look like this:

$ ssh user@server.org
The authenticity of host 'server.org (10.0.0.1)' can't be \
established.
RSA key fingerprint is \
e4:4d:22:17:dd:bd:8a:6c:9a:00:42:bf:df:f9:b9:a1.
+--[ RSA ]--------+
|                 |
|                 |
|     .o + o      |
|  ..oo o *       |
| ..o.   Z        |
|o  ..  ..        |
|.. .==.          |
|E.oo++           |
| oooooo.         |
+-----------------+
Are you sure you want to continue connecting (yes/no)?

For the human brain, it will be much easier to detect any change in the fingerprint! So, it will help us to detect potential security breaches (MITM attacks is a good example).

More information via a post on undeadly.org.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.