Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-30-2012, 10:59 AM
Sdhjt Sdhjt is offline
Registered User
 
Join Date: Nov 2012
Posts: 3
Why the client's Host Key fingerprint is different from server's ?

I use SecureCRT(7.0.2 Standard 32-bit Windows PC Installer) to connect to my server, generate a MD5 Hash is :
Server's host key fingerprint (MD5 hash):
32:f4:0d:7e:d8:c3:a5:4f:cf:10:30:ec:ec:d2:df:77


PuTTY RSA key fingerprint is fc:e1:88:d4:9f:9c:10:dc:85:78:6e:e3:55:b3:d0:39.



I use the following command on my server to generate the Hash :
/etc/ssh# ssh-keygen -lf ssh_host_rsa_key.pub
2048 fc:e1:88:d4:9f:9c:10:dc:85:78:6e:e3:55:b3:d0:39 ssh_host_rsa_key.pub (RSA)

My server address is sdhjt.ddns.info, port 22.

I also did a test on the local network. SecureCRT Hash value is still different from the PuTTY and the server.

Any ideas? Thanks.
Reply With Quote
  #2  
Old 11-30-2012, 11:25 AM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,039
Hello Sdhjt,

The reason for the different values is you're seeing two different types of hashes: MD5 vs SHA-1.

I'm not sure how to generate an MD5 checksum with ssh-keygen, but I'll post a follow up message when I figure this out, or can suggest an alternate method of verifying the fingerprint.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]

Last edited by miked; 11-30-2012 at 11:27 AM.
Reply With Quote
  #3  
Old 11-30-2012, 11:38 AM
Sdhjt Sdhjt is offline
Registered User
 
Join Date: Nov 2012
Posts: 3
Sorry for the duplicate post.
It looks like I confused about MD5 and SHA. Thanks you.
Reply With Quote
  #4  
Old 11-30-2012, 12:14 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,039
No problem about duplicate posts. Your forum account is no longer moderated. I can see how it would be useful to show both. I've added your forum post to our request database so that we can consider adding SHA-1 fingerprints in a future release. If added we'll post a follow up message to this thread.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #5  
Old 11-30-2012, 12:29 PM
Sdhjt Sdhjt is offline
Registered User
 
Join Date: Nov 2012
Posts: 3
Well, I'm looking forward to the new release. Thank you for your help.
Reply With Quote
  #6  
Old 11-30-2012, 01:27 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,039
Hi Sdhjt,

I don't see a way to generate the MD5 fingerprint with OpenSSH's ssh-keygen. For now, an immediate workaround would be to put SecureCRT into FIPS mode. That will show you hostkey fingerprints using the SHA1 algorithm (because SHA1 is a FIPS approved algorithm, MD5 is not).

If you are interested in finding out more about FIPS mode, or would like to receive direct e-mail notification should a future release of SecureCRT show MD5 and SHA1 fingerprints, please let us know and refer to forum thread 10773.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #7  
Old 05-30-2014, 03:42 AM
kengaru kengaru is offline
Registered User
 
Join Date: Nov 2011
Posts: 5
Still no this feature.

Meanwhile, then you're using the common (widespread) Linux SSH server, you're unable to check if fingerprint of your server host key match to that Vandyke SCRT shows you or not. So, you're unable to check authentity and is there an Man-in-the-middle in your data path or not.

I shouldn't have to switch to FIPS mode for that.
Reply With Quote
  #8  
Old 05-30-2014, 12:08 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 1,099
Quote:
Originally Posted by kengaru View Post
Still no this feature.

Meanwhile, then you're using the common (widespread) Linux SSH server, you're unable to check if fingerprint of your server host key match to that Vandyke SCRT shows you or not. So, you're unable to check authentity and is there an Man-in-the-middle in your data path or not.

I shouldn't have to switch to FIPS mode for that.
We're looking into adding functionality to the next version of SecureCRT (7.3) for displaying the fingerprint in both SHA1 and MD5.


--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #9  
Old 05-30-2014, 04:14 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 1,099
Also, if you have access to the server through another route (which I assume you may since you're running ssh-keygen -l to get the SHA1 fingerprint/hash), you can get at the SHA1 hash for the same file by running the following command as described online here:

For an OpenSSH server's DSA host key:
Code:
cut -d ' ' -f 2 < /etc/ssh/ssh_host_dsa_key.pub | base64 -d | sha1sum
For an OpenSSH server's RSA host key:
Code:
cut -d ' ' -f 2 < /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha1sum
This could serve as another workaround in the mean time (that doesn't involve switching SecureCRT into FIPS mode).

For those who might find it useful here's a bash shell script that will display both the MD5 and SHA1 hashes/fingerprints for all the OpenSSH host keys on your typical Linux system:
Code:
#!/bin/sh
# showHostKeyHashes.sh
for file in `ls /etc/ssh/*.pub`
do
    SHA1HASH=`cut -d ' ' -f 2 < $file | base64 -d | sha1sum | sed -e 's/  -//g'`
    MD5HASH=`cut -d ' ' -f 2 < $file | base64 -d | md5sum | sed -e 's/  -//g'`
    echo
    echo "Host key file: $file"
    echo "SHA1: $SHA1HASH"
    echo " MD5: $MD5HASH"
    echo
done
Example output:
Code:
[root@localhost ~]# ./showHostKeyHashes.sh

Host key file: /etc/ssh/ssh_host_dsa_key.pub
SHA1: 98a6510895a6f6f720729acf9a70b7c148cb004e
 MD5: 577b1380a3411091bf7fc7df73ca7533


Host key file: /etc/ssh/ssh_host_rsa_key.pub
SHA1: eb45e1ed35ab7bcf44e12f5ee6846737f8b23802
 MD5: 425adb7a9511c2ae70fc7175a4cd9d54
--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #10  
Old 06-02-2014, 08:44 AM
kengaru kengaru is offline
Registered User
 
Join Date: Nov 2011
Posts: 5
Thanks a lot, these workarounds are truly useful until the feature will be implemented.
Reply With Quote
  #11  
Old 06-03-2014, 01:22 AM
kengaru kengaru is offline
Registered User
 
Join Date: Nov 2011
Posts: 5
Additionally, found that for server host keys stored in Secure CRT internal database there is no method to see fingerprints, only whole key could be viewed and copypasted (Global Options -> SSH2 host keys -> View/Export/Import/Delete). Also date of import is not available.

That's the same issue at all - the one could be able to see both the date of key added to be able to check the corellation with real server host key changes and MD5/SHA1 fingerprints in one click without additional workarounds.
Reply With Quote
  #12  
Old 06-03-2014, 09:52 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,305
Hi kengaru,

I have created an additional feature request to add the ability to access the date when a host key was added to the host key database and the SHA1 and MD5 fingerprints from the Host Key Database category of the Global Options dialog. Should we add this capability, we will post to this forum thread.

If anyone would like to be notified directly, please complete and submit the form at the following location:
Submit Feature Request
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #13  
Old 06-09-2014, 05:57 PM
Maureen's Avatar
Maureen Maureen is offline
VanDyke Product Director
 
Join Date: Feb 2004
Location: Albuquerque, NM
Posts: 1,612
For host keys, the SHA-1 fingerprint is now shown in addition to the MD5 fingerprint. This has been implemented in a pre-beta version of SecureCRT. If you would be interested in trying it, please send email to me at Maureen.Jett@vandyke.com.

Maureen
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 03:29 AM.