Hostkey fingerprints

When you log in to a new system for the first time with the SSH protocol, the system returns a hostkey fingerprint to you:

The authenticity of host 'snellius.surf.nl (145.136.63.187)' can't be established.
ED25519 key fingerprint is SHA256:2Vy9858ldWu3Xjt1a58MbhD5CjLIh1LCb8n/up0izGw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'snellius.surf.nl' (ED25519) to the list of known hosts.

Before you type "yes" to the question posed to you, you can verify this fingerprint against the list of correct fingerprints for Snellius below, to check that you are indeed logged to the correct system.

ED25519
===
SHA256:2Vy9858ldWu3Xjt1a58MbhD5CjLIh1LCb8n/up0izGw
MD5:22:2d:8c:fa:ca:24:a8:de:6d:08:c2:ad:a2:34:19:61

ECDSA
===
SHA256:BWIyocmUn0wm9gkNhc9CG5MPEQcHFCHxtyPtmkVMbak
MD5:ee:f3:26:54:11:ec:dd:d5:9f:8e:c1:94:fa:99:55:ea

RSA
===
SHA256:saJqHp4Ls1P+23/N/9Jt5kMWGvX8OpqUgZxYUZdV9+s
MD5:21:ac:01:67:67:e4:e8:7b:70:e8:c3:90:d2:02:9f:88


It is also possible to configure your SSH client to retrieve the correct SSH hostkey fingerprints from the SURF DNS automatically, without you having to check these fingerprints manually. In order to enable this, add the following to your ~/.ssh/config:  VerifyHostKeyDNS yes. Or you can use the the following SSH command switch to temporarly enable this: -o VerifyHostKeyDNS=yes

For more information about such a setup, check out this blog post

  • No labels