fingerprint for the ECDSA key
验证 fingerprint for the ECDSA key
ssh-keygen -t ecdsa -f ssh_host_ecdsa_key
在B上ssh A ,得到A的fingerprint for the ECDSA key :请问怎么在A上核实fingerprint for the ECDSA key ?
怎么验证其shu
https://serverfault.com/questions/690855/check-the-fingerprint-for-the-ecdsa-key-sent-by-the-remote-host
https://en.wikipedia.org/wiki/Public_key_fingerprint
在公开密钥加密中,公开密钥指纹(下称:公钥指纹)是用于标识较长公共密钥字节的短序列。指纹通过应用加密散列函数到一个公共密钥来实现。[1]由于指纹较比生成它们的密钥短得多,因此可以用来简化某些密钥的管理任务。
zh.wikipedia.org/wiki/公开密钥指纹
[root@localhost etc]# ssh 47.103.130.122 The authenticity of host '47.103.130.122 (47.103.130.122)' can't be established. ECDSA key fingerprint is ae:c6:19:06:c6:bd:45:15:8c:e3:f1:72:8b:db:49:9b. Are you sure you want to continue connecting (yes/no)? iZuf6e17yluo9vhmc8zpujZ ssh # for file in *_key.pub; do ssh-keygen -lf $file; done 1024 SHA256:nQ0XISn0Ttbg4kyCRKJruL9Tzw+ui41+AHKWU2UTn04 root@iZuf6e17yluo9vhmc8zpujZ (DSA) 256 SHA256:8Op4jTz/yItNN4MubGsGRtSJNwPZngkGDgHXpwqxdkI root@iZuf6e17yluo9vhmc8zpujZ (ECDSA) 256 SHA256:JZ4+J2EqjBaJ5BS1VDQDwXgo0575slnlLLxu8W0gePE root@iZuf6e17yluo9vhmc8zpujZ (ED25519) 2048 SHA256:R4y4F0Z/p91m+hRWid6IkU9nMDd6T5vf1/8vei9mNSk root@iZuf6e17yluo9vhmc8zpujZ (RSA) iZuf6e17yluo9vhmc8zpujZ ssh # pwd /etc/ssh iZuf6e17yluo9vhmc8zpujZ ssh # for file in *_key.pub; do cat $file; done ssh-dss AAAAB3NzaC1kc3MAAACBAO1lKslvEr+NylRDMx4GfGyvT/nm/QM1a1AKl379uThL2WYEh/ywi5zjf5CoFwVCO+F14UnXO3zn/wfUhfZkaOClWRkyojyz2ZA9MGlcLVGHOKlzFtiwE+G03NOdltKcy4MZSdpHzzN/tObPHlvwJDwxFk4taYRQzSgj9uvjtM+ZAAAAFQDrlKl29qlLUuqIrcmBRf+tzsfR7QAAAIEA0WbxRR4rTFri2yWetsYIu/8rD4+buQhF+WR5qmF3baYDx/chqbiqdEr0tjADcc03N+F9m8qOiAbTpYVyxgAT3U1Pflt5VTF46tcxge2PYXJJf7Vq+Zw9EbosCU2bFzlpxb13bkUex6TCoxwUMLZW5MVtoXILyz1VJppldQURxjgAAACAXcN0d6BzMDO5rnsxYnZpBM4nqkBP8QFFip6P6z2OcNhQqrc7DeWuSINhFCwLydhlK05diQqbZ6+xio484rt+Vy07eDrBMoOAPhZWUNW9gCjPF3A6y2RxoNpHwD1ztbQs3B6ieNcCDzUxOyjLZYM0tlnS5Y2Wt1lmXfSD2jbYs2s= root@iZuf6e17yluo9vhmc8zpujZ ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGRxjDJEj56fDlblsLMlCrSQ+Q9gvdupg0XF1RpFqYj38PzJdqzsOz+twPW11nmz4+DraeRpHRdUlaIdWBcLO9Y= root@iZuf6e17yluo9vhmc8zpujZ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBhxEsC+UA64MQa7o/G1Zg4ggNcmlAo+X0mh4M0i5mk root@iZuf6e17yluo9vhmc8zpujZ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQCwH+6c6MY7Z4C1Kghebq8IcUw1RbfVZaEwiumOmpPPYDM97KthdoOfc+VTKZiRtVI6Qze/rKDaSWtnSHSX/bFzhRXJQiybNQGZ6x1VhlT07+95Wv6ZsWMc0fviWGKgL4ddkSkWNAdNC5XCN+T4azpFnO8WxXYbHIUmgMWYMdfCsFMNvSfGGxB0WhOff/st8EquWeLwgOs2d1sZTKsjBC7hsOqnzYtLcRsuL8XSsHRieVQ2drxyJqVmSJztqdc4uUv00GbE6h2yK/O/GIY2Gp8y6e6SiYNxjPbiqK/M70U2kcOXsp4hGtqM1xQcRjp5mbTxWvma34Tsrfp8uPr65b root@iZuf6e17yluo9vhmc8zpujZ iZuf6e17yluo9vhmc8zpujZ ssh #
生成公钥指纹的概括步骤如下:
- 公钥(以及任选的一些额外数据)被编码成一个字节序列,以确保同一指纹以后在相同情况下可以创建,因此编码必须是确定的,并且任何附加的数据必须与公共密钥一同存放。附加数据通常是使用此公共密钥的人应该知道的信息,如:密钥持有人的身份(此情况下,X.509信任固定的指纹,且所述附加数据包括一个X.509自签名证书)[2]。
- 在前面步骤中产生的数据被散列加密,如使用SHA-1或SHA-2。
- 如果需要,散列函数的输出可以缩短,以提供更方便管理的指纹。
产生的短指纹可用于验证一个很长的公共密钥。例如,一个典型RSA公共密钥的长度会在1024位以上,MD5或SHA-1的指纹却只有128或160位。
当指纹被显示时,通常被编码成十六进制字符串。然后,这些字符串格式化成可读性字符组。例如,如一个128位的MD5指纹SSH将被显示为:
43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8
[root@localhost ~]# ssh 47.103.130.122 The authenticity of host '47.103.130.122 (47.103.130.122)' can't be established. ECDSA key fingerprint is ae:c6:19:06:c6:bd:45:15:8c:e3:f1:72:8b:db:49:9b. Are you sure you want to continue connecting (yes/no)? iZuf6e17yluo9vhmc8zpujZ ssh # cd /etc/ssh;for i in `ls *.pub`;do echo $i && ssh-keygen -lf $i -E md5;done ssh_host_dsa_key.pub 1024 MD5:81:cc:5f:85:22:06:86:f7:a1:02:53:14:c3:1f:75:31 root@iZuf6e17yluo9vhmc8zpujZ (DSA) ssh_host_ecdsa_key.pub 256 MD5:ae:c6:19:06:c6:bd:45:15:8c:e3:f1:72:8b:db:49:9b root@iZuf6e17yluo9vhmc8zpujZ (ECDSA) ssh_host_ed25519_key.pub 256 MD5:09:57:19:76:45:2e:d6:f4:01:06:7b:9d:2d:6f:da:99 root@iZuf6e17yluo9vhmc8zpujZ (ED25519) ssh_host_rsa_key.pub 2048 MD5:6b:a7:92:ec:c8:03:24:0a:3f:ce:7e:a3:73:fe:e1:6f root@iZuf6e17yluo9vhmc8zpujZ (RSA) iZuf6e17yluo9vhmc8zpujZ ssh #