1

I used ssh-keyscan in production environment, after got to know it may allows MITM. I check in known_hosts files, fingerprint is not there. where can i check or is there any option?

Ajith
  • 11
  • 1

1 Answers1

2

The known_hosts file does not contain finger prints, only the full (public) keys that you added.

To display the finger prints use ssh-keygen -l -f ~/.ssh/known_hosts and if you like to add the -v switch to also show a visual ASCII art representation of the key is supplied with the fingerprint.

ssh-keygen -l -f ~/.ssh/known_hosts

2048 SHA256:2ggdJPUVnjTHdG36iGw7Du8knzvPSLgF6fTBUhzn3d5 service.example.com,192.168.2.87 (RSA)
256  SHA256:6QZWKiXoFC8qRg3ZhClY4RcUPX8F2ROOREmysPT5JW9 example.com (ECDSA)

The actual known_hosts file will look something like this:

service.example.com,192.168.2.87 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA...8sw==
example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNo..C0N9T3Y4poTAXTuMyXZEPRywi28=

Each line in the known_hosts file contains the following fields: markers (optional), hostnames, keytype, base64-encoded key, comment. The fields are separated by spaces.

When HashKnownHosts is set, the hostnames may be stored in a hashed form. Hashed hostnames start with a | character.

Bob
  • 5,805
  • 7
  • 25
  • whether i need to delete the fingerprint or i can leave like that. How to remove the user from that server? – Ajith Feb 19 '22 at 04:54