How to check the identity of a SSH Server

**actionmystique** · June 21st, 2014

SSH Client Environment: Ubuntu Desktop 14.04

Hello everyone,

I have setup a secure SSH connection with a remote server, which is configured with my public key (so I don't need to authenticate).

Is it possible to configure my SSH client with the public server key and make SSH use it every time it tries to connect to the server? The idea is to check that the SSH server has not been spoofed.

Cheers.

**untrustytahr** · June 21st, 2014

Read this: http://manpages.ubuntu.com/manpages/...n8/sshd.8.html

You'll find there is quite a bit of good information in the man pages. That's why people take the time to create them. Pay particular attention to the sections on known_hosts.

**actionmystique** · June 23rd, 2014

Thanks for your answer. However, I have been unable to make it work; here's what I've done:

1) configured /etc/ssh/ssh_config with:
HostbasedAuthentication yes
CheckHostIP yes
StrictHostKeyChecking ask
PubkeyAuthentication yes
IdentityFile /root/.ssh/id_rsa
Port 2222
1) "Add key" on Android SSHdroid server: it generates a private-key file in PEM format
2) generated a public key with "sudo puttygen /root/.ssh/private-key-file -O public-openssh -o /root/.ssh/public-key-file" on the client
3) inserted the public key inside the "/etc/ssh/ssh_known_hosts" configuration file:ip-address ssh-rsa public-key

However, when trying to connect with "sshfs -o idmap=user root@ip-address:/ /mnt/SSH/device-name", I got the following error:

"The authenticity of host '[ip-address]:2222 ([ip-address]:2222)' can't be established
RSA key fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I've checked the fingerprint with "ssh-keygen -l -f /root/.ssh/public-key-file": they are different! I don't think the server is currently being spoofed....

Any suggestion?

N.B: @untrustytahr, you probably deserve some time off

**clearski** · June 23rd, 2014

Host (server) keys are one thing, user keys are another.

First, make sure you have

Code:

RSAAuthentication yes

in your /etc/ssh/ssh_config on the client machine.

Then:

Code:

RSAAuthentication yes
PubkeyAuthentication yes

in /etc/ssh/sshd_config on the server machine.

The RSA key fingerprint you were shown is not the same as the one you got for /root/.ssh/public-key-file because you compared the host public key against the user public key.

I personally make copies of all server and client keys right after they are generated, this way I can have the fingerprints of the original keys.

The message "The authenticity of host..." has to do with server (host) keys, not user keys. These keys are located in /etc/ssh on the server machine.

In your case, they should be names ssh_host_rsa_key and ssh_host_rsa_key.pub (I don't know anything about that Android stuff).

I personally think that the type of keys that were generated by the SSH server on Android need to be converted into another format.

".pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on.

.key This is a PEM formatted file containing just the private-key of a specific certificate. In Apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong." (http://serverfault.com/questions/970...file/9717#9717)

And this is how you can do conversions:

https://stackoverflow.com/questions/1011572/convert-pem-key-to-ssh-rsa-format

Or I might be totally wrong, but that's my two cents. Hope this helps.

**actionmystique** · June 25th, 2014

Thanks for your detailed answer: it makes perfect sense!

I've searched on my rooted Nexus-5: impossible to locate the file containing the device key(s).
So I did the check in another way by isolating both devices inside a closed network and saving the RSA key generated by the server. The SSH RSA is now saved inside /root/.shh/known_hosts".