If you need to work on a remote *nix server, you have undoubtedly used OpenSSH. The way it helps securely control remote machines makes it one of a handful of essential sysadmin tools. But this great tool does have a flaw and no I’m not talking about a buffer overflow or memory leak. The problem arises when connecting to a server for the first time. For example, we’ve all seen this:<\/p>\n
The authenticity of host ‘server.example.com (192.168.429.21)’ can’t be established.
RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:a2:2d:37:16:58:4d.
Are you sure you want to continue connecting (yes\/no)?<\/span><\/p><\/blockquote>\nWith this string of hexadecimal characters, one is expected to verify the remote host’s identity. It is suggested to use some out-of-band method like carrying around the fingerprint on a card or checking the key after login, but I think there’s a better way.<\/p>\n
Simply, add a dictionary of 65,536 (2^16) English words to OpenSSH. Then when it comes time to print out that nasty hex key, OpenSSH can map each string of 4 hex characters (16-bits total) to a single English word. In this way, we’ll see the hex string and a second, more-readable English string:<\/p>\n
98:2e:d7:e0:de:9f:ac:67:28:c2:a2:2d:37:16:58:4d<\/span><\/p><\/blockquote>\n
<\/p>\n
election accelerate import snag wrecking unsuitable defeating conceal developing educates substitute bridge enables originator cat forecast<\/span><\/p><\/blockquote>\n
If the dictionary and mapping are standard, then no matter what machine you connect from you’ll see the same set of English words when connecting to the remote host. I think it’s a nice little trick that makes RSA key fingerprints easier to read and remember. Such a simple tweak could make us all a little more secure. What do you think?<\/p>\n","protected":false},"excerpt":{"rendered":"
If you need to work on a remote *nix server, you have undoubtedly used OpenSSH. The way it helps securely control remote machines makes it one of a handful of essential sysadmin tools. But this great tool does have a flaw and no I’m not talking about a buffer overflow or memory leak. The problem […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[20,15],"class_list":["post-118","post","type-post","status-publish","format-standard","hentry","category-default","tag-ideas","tag-ssh"],"_links":{"self":[{"href":"https:\/\/davidsterry.com\/blog\/wp-json\/wp\/v2\/posts\/118","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/davidsterry.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/davidsterry.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/davidsterry.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/davidsterry.com\/blog\/wp-json\/wp\/v2\/comments?post=118"}],"version-history":[{"count":1,"href":"https:\/\/davidsterry.com\/blog\/wp-json\/wp\/v2\/posts\/118\/revisions"}],"predecessor-version":[{"id":150,"href":"https:\/\/davidsterry.com\/blog\/wp-json\/wp\/v2\/posts\/118\/revisions\/150"}],"wp:attachment":[{"href":"https:\/\/davidsterry.com\/blog\/wp-json\/wp\/v2\/media?parent=118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/davidsterry.com\/blog\/wp-json\/wp\/v2\/categories?post=118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/davidsterry.com\/blog\/wp-json\/wp\/v2\/tags?post=118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}