HackDig : Dig high-quality web security articles for hackers

SSH Fingerprints Are Important, (Fri, Apr 3rd)

2015-04-03 19:30

Some years ago, I was preparing Cisco certification exams. I connected via SSH to a new Cisco router, and was presented with this familiar dialog:

This made me think: before proceeding, I wanted to obtain the fingerprint out-of-band, via a trusted channel, so that I could verify it. So I took a console cable, logged on via the serial console, and then I started to wonder what IOS command to type? A couple of hours later spend with Google, I was no closer to a solution. I could not find an IOS command to display the SSH fingerprint.

I found forum posts advising to connect via a crossover cable and write the presented SSH fingerprint down, but thats not what I wanted. I had to work out my own solution.

Theres an IOS command to dump your public key: show crypto key mypubkey rsa

If you take the modulus and exponent of your public key, arrange them in another format (ssh-rsa) and calculate the MD5 hash, then you obtain the fingerprint.

Of course, I could not resist writing a Python program for that :-)

You can find it here.

If you know a Cisco IOS command to obtain the SSH fingerprint key directly, then please post a comment.

Update: on Cisco IOS versions released after I researched this, the show ip ssh Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAA.....

If you decode the base64 encoded ssh-rsa data, and calculate the MD5, you obtain the fingerprint.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: ssr;pma&34591=diyrots?lmth.yraid/ude.snas.csi

Read:3019 | Comments:0 | Tags:No Tag

“SSH Fingerprints Are Important, (Fri, Apr 3rd)”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud