Check and verify SSH fingerprints

Mark Shust
InstructorMark Shust
Share this video with your friends

Social Share Links

Send Tweet

Learn how to retrieve the SSH fingerprint of a remote host, and also how to verify you are connecting to your trusted server and not an impersonator. The known_hosts file keeps track of SSH fingerprints and remote hosts that you previously connected to.

Instructor: [0:00] Once you SSH into a remote host, the server fingerprint and key are added to the known_hosts file within the .ssh folder of your home directory. This file contains a list of remote servers you have connected to in the past. The file ensures you are connected to the correct server, not a fake or impersonator.

[0:22] Sometimes if you try connecting to a new machine that has been assigned an IP address which you previously used to connect another server, you will get a host mismatch error. This is because the remote host fingerprint does not match the record within your known_hosts file.

[0:41] SSH into your remote host. What you will do next is get the SSH fingerprint of this machine. Type ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub. The -l tells ssh-keygen we want the fingerprint, and the -f tells it where to find the host's public key. This is the typical location for Linux servers. What is outputted is the fingerprint of this machine.

[1:21] Now exit the remote host and run the command ssh-keygen -R and then the remote hostname or IP. This command removes all keys from the known_hosts file on your local machine that belong to the specified host.

[1:38] Now when you try to connect back to the remote host, it'll ask you to confirm connecting to the remote host and will also supply you with the remote host's SSH fingerprint. You can compare the output of the remote host's fingerprint to the output of the fingerprint that we're about to connect to in order to verify you are connecting to the desired remote host.