Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fingerprint: What's the syntax? #81

Closed
simmel opened this issue Sep 10, 2020 · 7 comments · Fixed by #120
Closed

fingerprint: What's the syntax? #81

simmel opened this issue Sep 10, 2020 · 7 comments · Fixed by #120

Comments

@simmel
Copy link

simmel commented Sep 10, 2020

I've tried all sorts of versions of using the fingerprint:

SHA256:Bbf[…]
RSA SHA256:Bbf[…]
domain.tld RSA SHA256:Bbf[…]
AAAAB3Nz[…]=
ssh-rsa AAAAB3Nz[…]=
ssh-rsa AAAAB3Nz[…]= root@domain.tld
domain.tld,192.0.2.1 ssh-rsa AAAAB3Nz[…]=

But nothing seems to work. What should the syntax be and can it be documented?
@timmkroe
Copy link

I have the same issue. An example would be nice.

@philo23
Copy link

philo23 commented Dec 24, 2020
edited

After a lot of trial and error I discovered the correct format is just <hash algo>:<fingerprint> eg: SHA256:Bbf…

To get the actual fingerprint itself, you can either:

  • Temporarily comment out the host from your ~/.ssh/known_hosts file, then try connecting to the server with the same identity file you're trying to use in the ssh-action. The fingerprint will be displayed in the warning message (just remember to uncomment it afterwards...) 
    The authenticity of host '[<host ip>]:<host port> ([<host ip>]:<host port>)' can't be established.
ECDSA key fingerprint is <hash algo>:<fingerprint>.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
    If you do use this method, one thing to watch out for is the trailing . on the end of the fingerprint line, it is not part of the fingerprint itself.
  • The other way is to run on the server you're trying to connect to ssh-keygen -l -f <file> against the SSH host keys found (at least on Ubuntu) in /etc/ssh/, there will probably be several depending on your hosts supported key formats, the filename will follow this kind of format ssh_host_<key format>_key.pub where is probably either rsa or ed25519
    That will print out something along these lines: 
    username@hostname:~$ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
256 <hash algo>:<fingerprint> root@hostname (ECDSA)
    You only need the <hash algo>:<fingerprint> portion of the output.

@nicklasfrahm
Copy link
Contributor

@philo23 Do you mind if I basically copy and paste this into a PR?

@philo23
Copy link

philo23 commented Jan 24, 2021

Yeah no problem from me.

I suspect the second method is the proper way to do it, but the first bullet point is much easier for someone unfamiliar with SSH to do.

@nicklasfrahm
Copy link
Contributor

@philo23 I can hack a one-liner together. I found out that the easiest way to do it is to connect to the VM or server and then attempt to connect to itself. Then you don't need to mess with the known_hosts.

@nicklasfrahm nicklasfrahm mentioned this issue May 15, 2021
Merged
@kenjis kenjis mentioned this issue May 18, 2024
Open
@kenjis
Copy link

kenjis commented May 18, 2024

<hash algo>:<fingerprint> does not work. Why?
See #275

@METACEO
Copy link

METACEO commented Jun 8, 2024

@nicklasfrahm @philo23 it'd be great for ssh-action to report which hash algo it's failing against. I've tried multiple <hash algo>:<fingerprint> combinations in my setup but my action keeps failing. The ssh: host key fingerprint mismatch error stops short re. providing info to resolve the issue.

329749105-42f109d2-3679-4782-b303-aeddc7d251c1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Document setup of SSH host fingerprint validation
6 participants
@kenjis @philo23 @simmel @METACEO @nicklasfrahm @timmkroe