cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1418
Views
0
Helpful
3
Replies

Verifying an IOS device's SSH fingerprint

kurtpatzer
Level 1
Level 1

When an SSH client connects to a server for the first time, it displays the fingerprint of the system's SSH public key. You, the user, are supposed to verify the fingerprint before you accept the connection (to protect against a spoofing attack on first connection). Once you accept the ssh client remembers the key & will allow connections to that server in the future & won't bother for a confirmation in the future unless the key changes.

Now - it's pretty easy to set up SSH services on an IOS device, but I have no idea how determine it's finger print. I can get the router to display it's public key, but not the fingerprint. And the SHA/MD5 hash tools that I have don't seem to work to digest the public key value into what is presented by the SSH client.

Does anyone know how to either: A) Display the SSH key fingerprint on the router itself or B) Know of a Windows based tool that can take the public key that the router will display and compute the fingerprint?

Thanks,

KEP

3 Replies 3

lwierenga
Level 1
Level 1

Hopefully, this will help:

PIX:

show ssh [sessions [ip_address]]

Router:

show ssh fingerprint

Hello,

The show ssh fingerprint command is not available on my systems (generally 12.2(15)T). Looking at the 12.3 command reference, I don't find it there either.

Show ssh on both the router and the PIX show the status of connections to your router, which is not what I am hoping to find. I need to know the fingerprint that I should expect to see when I connect to the router for the first time from a Windows SSH client (either teraterm or putty).

Thanks,

KEP

oxide
Level 1
Level 1

I do not know how to display the SSH server's fingerprint directly in IOS. However, you can do it on a separate machine.

ISR4300#sh ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-3738675831
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCn62IP88wHq9NilUvTuQ2Min+1CZQ+N8NtFyamsNaP
gPibo71xq9joiCUQQcdi/tZYqsUfsGQQJ05QXlDj81z2EEnqZ+a3GK7XjulbStWdY2innc+UA//gYrhj
21lar4PSsuFjz2VoBYxEoloh/Mk4o068IjeMNWrV3zADgAyHwigfYJyNdpoDkIM/PMb0J1XKR65/cCJz
710olSBTorYdrmLEVp+mGnnGUfVQr4xovVeU/Sze1foutzVEkds6E9Olxn6bCqHjbiIetLtwiCYDEyLy
tjPA2SIYtmltCi/TByLl36cR6tNj6PiFMgvb1UkjwiF1Cse6WvKLzxS9k0M3

The line starting with "IOS Keys" is the servers public key. If you copy it to a
Unix box, you can calculate the SHA256 fingerprint as follows:

$ ssh-keygen -l -f ./ssh.key
2048 SHA256:CRqX+T3a/48l6GT00Tgz3SmnkcNwlgt0B+vFI8VuzxI no comment (RSA)

Or using OpenSSL:

$ openssl base64 -d < ssh.key | \
    openssl dgst -sha256 -binary | \
    openssl base64
CRqX+T3a/48l6GT00Tgz3SmnkcNwlgt0B+vFI8VuzxI=

I am not familiar with the Windows CLI (neither CMD nor PowerShell), but this is what AI tells me:

CMD:

type ssh.key | openssl base64 -d | openssl dgst -sha256 -binary | openssl base64

PowerShell:

Get-Content -Raw ssh.key | openssl base64 -d | openssl dgst -sha256 -binary | openssl base64