Preventing MITM for a new SSH daemon



  • Supposed I have a number of HTTPS servers on different networks, would it be safe enough to use them together to verify a new SSH daemon's public key? i.e. if they all return the same fingerprint, is it safe enough to assume there is no MITM attack?

    I'm aware of SSH certs, but it gets tough to implement with most shared hosting.

    Thanks.



  • Reusing the same ssh host key on multiple servers is a security risk. If one server is compromised, the attacker can intercept all connections to your servers.


    If the servers are administrated by another person, you should ask this person over a trused channel.

    Trusted channels are:


    If you own the server you can use a local terminal. On a virtual machine, you can use the management interface to open such a terminal. Physical machines (bare matel) server should have some remote management devices like KVM Switches or built in the bios/uefi.

    By default OpenSSH stores the keys in /etc/ssh.

    Follwing command calculates the SHA256 hash:

    for file in /etc/ssh/*.pub; do   ssh-keygen -lf $file; done
    

    Older implementations of openssh generates MD5 fingerprints

    for file in /etc/ssh/*.pub; do   ssh-keygen -lf $file -E md5; done
    

    You have multiple keys with different algorithms. Depending on your server and your client, one of those keys are used.

    Now you can compare the shown fingerprint from the client with the the calculated fingerprints.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2