An Improvement to OpenSSH

Thursday 4 September 2008 - Filed under Default

If you need to work on a remote *nix server, you have undoubtedly used OpenSSH. The way it helps securely control remote machines makes it one of a handful of essential sysadmin tools. But this great tool does have a flaw and no I’m not talking about a buffer overflow or memory leak. The problem arises when connecting to a server for the first time. For example, we’ve all seen this:

The authenticity of host ‘server.example.com (192.168.429.21)’ can’t be established.
RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:a2:2d:37:16:58:4d.
Are you sure you want to continue connecting (yes/no)?

With this string of hexadecimal characters, one is expected to verify the remote host’s identity. It is suggested to use some out-of-band method like carrying around the fingerprint on a card or checking the key after login, but I think there’s a better way.

Simply, add a dictionary of 65,536 (2^16) English words to OpenSSH. Then when it comes time to print out that nasty hex key, OpenSSH can map each string of 4 hex characters (16-bits total) to a single English word. In this way, we’ll see the hex string and a second, more-readable English string:

98:2e:d7:e0:de:9f:ac:67:28:c2:a2:2d:37:16:58:4d

election accelerate import snag wrecking unsuitable defeating conceal developing educates substitute bridge enables originator cat forecast

If the dictionary and mapping are standard, then no matter what machine you connect from you’ll see the same set of English words when connecting to the remote host. I think it’s a nice little trick that makes RSA key fingerprints easier to read and remember. Such a simple tweak could make us all a little more secure. What do you think?

2008-09-04  »  David Sterry