Join Log in
Score:0
avatar Ubuntu

SSHD: Fingerprint of public key not as expected

ua flag
Virtuesino

two machines are in the picture for my issue:

  • Server: Running Ubuntu Server 20.04.3 LTS, running ssh server
  • Client: Running Ubuntu Desktop 20.04.3 LTS, running ssh client

I expect my generated ED25519 keypair to be used. Keys are stored as following:

  • id_ed25519.pub: attached in ~/.ssh/authorized_keys on "server"
  • id_ed25519: stored in ~/.ssh on "client"

Configuration on server in /etc/ssh/sshd.config:

  • PubkeyAuthentication yes
  • AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
  • PasswordAuthentication no

Configuration on client:

  • id_ed25519 is made available via keychain (executing ssh-add for ssh-agent, asking for passphrase properly)

Now what gives me headaches:

Step 1: I connect from client to server. As I access for the first time (empty ~/.ssh/known_hosts on client) I get: ECDSA key fingerprint is SHA256: [DefaultKeyFingerprint]. Are you sure you want to continue connecting? [DefaultKeyFingerprint] is a placeholder for the fingerprint displayed. It turns out it is not the fingerprint I expected. My expectation was: id_ed25519.pub is used by the server to derive the fingerprint. This would lead to another fingerprint (checked via "ssh-keygen -l -f"). Let's call this one [ExpectedFingerprint].

I tried to understand where [DefaultKeyFingerprint] is coming from. Result: It fits to the default key ssh_host_ecdsa_key.pub generated by sshd in /etc/ssh/

Step 2: After accepting above mentioned warning I can sucessfully connect.

I wanted to understand if the public key behind [DefaultKeyFingerprint] or [ExpectedFingerprint] was used. Two indications that [ExpectedFingerprint] was used:

  • Specifying the private key behind [DefaultKeyFingerprint] when executing "ssh" on client is not accepted by "Server", even when the private key file is specified using -i option. Error is: Permission denied (publickey). This fits to my expectation as I allowed on server side in ~/.ssh/authorized_keys only the public key fitting to [ExpectedFingerprint]
  • When I run on "Server": systemctl status ssh after succesful login I get following output:
Dez 22 10:57:42 [my_machine] sshd[3255]: Accepted key ED25519 SHA256:[ExpectedFingerprint] found at ~/.ssh/authorized_keys:1
Dez 22 10:57:42 [my_machine] sshd[3255]: Accepted publickey for [user] from 192.168.178.35 port 50048 ssh2: ED25519 SHA256:[ExpectedFingerprint]
Dez 22 10:57:42 [my_machine] sshd[3255]: pam_unix(sshd:session): session opened for user [user] by (uid=0)

My questions:

  • Can you confirm my argumentation above that actually [ExpectedFingerprint] was used?
  • Why is "Server" showing as a fingerprint [DefaultKeyFingerprint] and not [ExpectedFingerprint] and how can I make "Server" showing [ExpectedFingerprint]?

Remarks - not knowing if it matters: When I generated the keypair leading to [ExpectedFingerprint] I specified an asterix in the domain name *.mydomain.com. Output of ssh-keygen -l -f for both public keys:

256 SHA256:[ExpectedFingerprint] *.mydomain.com (ED25519)
256 SHA256:[DefaultKeyFingerprint] root@mymachine (ECDSA)

Thanks in advance for your thoughts.

27
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.