Verifying BitFolk's SSH fingerprints: Difference between revisions

From BitFolk
Jump to navigation Jump to search
m (→‎Monkeysphere: Link to HostKeyAlias bug report)
mNo edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 4: Line 4:
SSH uses public key cryptography to, amongst other things, verify that the host you're connecting to is really the host you intended to connect to. As is always the case with public key cryptography though, the initial key exchange has to be done by some other secure method. SSH displays fingerprints so that you can easily verify that you're connecting to the correct place. If you've ever seen something like this:
SSH uses public key cryptography to, amongst other things, verify that the host you're connecting to is really the host you intended to connect to. As is always the case with public key cryptography though, the initial key exchange has to be done by some other secure method. SSH displays fingerprints so that you can easily verify that you're connecting to the correct place. If you've ever seen something like this:


<syntaxhighlight highlight="3">
<syntaxhighlight lang="text" highlight="3">
$ ssh strugglers.net
$ ssh strugglers.net
The authenticity of host 'strugglers.net (212.13.194.70)' can't be established.
The authenticity of host 'strugglers.net (212.13.194.70)' can't be established.
Line 16: Line 16:


==SSH fingerprints of BitFolk hosts==
==SSH fingerprints of BitFolk hosts==
Here's an [http://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP]-signed text file listing the SSH fingerprints of BitFolk hosts you might care about:
The following examples assume that your BitFolk account name is
"'''ruminant'''" and you're trying to connect to its [[Xen Shell]] host.


* https://bitfolk.com/keys/ssh.txt
===Verifying BitFolk SSH host fingerprints with SSH itself===
 
All of the BitFolk hosts that customers are expected to ever SSH to have
==Console host ''vs.'' real host==
their [[Wikipedia:SSHFP record|SSH host fingerprints stored in DNS]] and
Note that normally when connecting to your Xen Shell you would connect to the host <tt>'''''username''.console.bitfolk.com'''</tt> where <tt>'''''username'''''</tt> is the name of your BitFolk account. This is done as a DNS CNAME (an alias) to the real server that your VPS is on so that you only have to remember one hostname even if your VPS is moved to another server. SSH fingerprints aren't published for all of these aliases because there would need to be one for each customer account and they'd be changing all the time.
secured by [[Wikipedia:DNSSEC|DNSSEC]]. So, ''if'':
 
SSH doesn't follow the chain of CNAMEs and will always try to verify the hostname that you entered against its list of known host keys. You can work out which host your VPS is actually on and always connect to that, e.g. for the VPS account '''ruminant''':


<syntaxhighlight>
* your local DNS resolver validates DNSSEC ''and'';
$ host ruminant.console.bitfolk.com
* you've configured your SSH client to do so;
ruminant.console.bitfolk.com is an alias for console.urquell.bitfolk.com.
console.urquell.bitfolk.com is an alias for urquell.bitfolk.com.
urquell.bitfolk.com has address 85.119.80.15
urquell.bitfolk.com has IPv6 address 2001:ba8:0:1f1::4
$ ssh ruminant@urquell.bitfolk.com
</syntaxhighlight>


The SSH fingerprint for <tt>'''urquell.bitfolk.com'''</tt> has been published, so you can verify this.
then your SSH client can verify BitFolk's SSH host fingerprints by
itself.


Alternatively you can use the <tt>'''HostKeyAlias'''</tt> directive in your '''$HOME/.ssh/config''' file to tell SSH to verify a different name:
For OpenSSH the configuration option is '''VerifyHostKeyDNS''' and
it defaults to '''no'''. You would normally set it in your client
configuration file but it can also be set on the command line:


<syntaxhighlight>
<syntaxhighlight lang="text">
Host ruminant.console.bitfolk.com
$ ssh -v -oVerifyHostKeyDNS=yes ruminant@ruminant.console.bitfolk.com
    HostKeyAlias urquell.bitfolk.com
[…]
</syntaxhighlight>
debug1: found 1 secure fingerprints in DNS
 
debug1: matching host key fingerprint found in DNS
Just bear in mind that if your VPS is ever moved to another server then you'll need to connect to (or alias) a different host.
[…]
 
==Monkeysphere==
BitFolk's SSH keys have also been published in [http://web.monkeysphere.info/ Monkeysphere]. This enables people to automatically verify SSH host keys as long as they're signed by someone inside their OpenPGP web of trust. It therefore requires you to be an OpenPGP user and have a web of trust that is developed enough. The typical implementation of OpenPGP in use on Linux is the [http://www.gnupg.org/ GNU Privacy Guard (gnupg)].
 
Here's an example of first connecting to <tt>'''ruminant.console.bitfolk.com'''</tt> with a Monkeysphere-enabled '''ssh'''. Unfortunately Monkeysphere doesn't yet support <tt>'''HostKeyAlias'''</tt> for its first verification ([https://labs.riseup.net/code/issues/447 bug report for that]), but once the host key is added this will be picked up by SSH's future verifications.
 
<syntaxhighlight highlight="2-6">
$ ssh ruminant@urquell.bitfolk.com
ms: processing: urquell.bitfolk.com
ms:  checking keyserver pool.sks-servers.net...
ms: primary key found: 03D4BA140261D955
ms:   * acceptable primary key.
ms: * new key for urquell.bitfolk.com added to known_hosts file.
This computer system is the property of BitFolk Ltd.
This computer system is the property of BitFolk Ltd.


Disconnect NOW if you have not been expressly authorised to
Disconnect NOW if you have not been expressly authorised to
use this system.  Unauthorised use is a criminal offence
use this system.  Unauthorised use is a criminal offence  
under the Computer Misuse Act 1990.
under the Computer Misuse Act 1990.


Line 70: Line 53:
</syntaxhighlight>
</syntaxhighlight>


The above has the log level for Monkeysphere cranked up to '''verbose'''; normally you'd only see the line "<tt>ms: * new key for urquell.bitfolk.com added to known_hosts file.</tt>" which indicates that Monkeysphere was satisfied that the key for <tt>'''urquell.bitfolk.com'''</tt> both had a matching fingerprint and was also signed by someone that we trust. The host key gets added to the '''known_hosts''' file and will be subsequently verified regardless of Monkeysphere.
If you do not have a recursor performing DNSSEC validation you'll see something like:
<syntaxhighlight>
$ ssh -v -oVerifyHostKeyDNS=yes ruminant@ruminant.console.bitfolk.com
[…]
debug1: found 1 insecure fingerprints in DNS
debug1: verify_host_key_dns: matched SSHFP type 1 fptype 2
debug1: matching host key fingerprint found in DNS
[…]
The authenticity of host 'ruminant.console.bitfolk.com (85.119.80.22)' can't be established.
RSA key fingerprint is SHA256:cO9wMH2pkR7Y4BVytdyydRFLfXtfvF9V2YZsK9io1M0.
Matching host key fingerprint found in DNS.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
</syntaxhighlight>
 
At this point SSH has validated the host key via DNS, but not in a secure way, it then asks you the normal [https://en.wikipedia.org/wiki/Trust_on_first_use TOFU question] with the extra line: "Matching host key fingerprint found in DNS."; it is up to you whether you trust it at this point.
 
Configuring '''VerifyHostKeyDNS''' for all hosts will result in an extra DNS lookup on each SSH connection. You may wish to add something like this to ~/.ssh/config:


<syntaxhighlight>
<syntaxhighlight>
$ ssh -q ruminant@ruminant.console.bitfolk.com
Host *.console.bitfolk.com
ms: processing: ruminant.console.bitfolk.com
  VerifyHostKeyDNS yes
ms:  checking keyserver pool.sks-servers.net...
ms:  no primary keys found.
Password:
</syntaxhighlight>
</syntaxhighlight>


Being able to verify SSH host keys in Monkeysphere still relies on there being a trust relationship to one of the signatures on the keys. To begin with, keys are only signed by [http://pgp.mit.edu:11371/pks/lookup?search=andy%40bitfolk.com&op=vindex&fingerprint=on andy@bitfolk.com (BF15490B)] so if you don't have an OpenPGP trust relationship with this key then Monkeysphere probably does you no good.
Note that if you do not run your own DNS recursor (e.g. you use the one
supplied by your ISP, a public DNS recursor or whatever the local network
you happen to be on provides to you by DHCP) then it is theoretically
possible that this recursor might lie to you about the
DNSSEC-authenticated nature of the responses it gives you.
 
===Manually checking the fingerprints from DNS===
If your SSH client of choice does not support checking SSHFP records
then you can check them yourself.
 
====1. Query the SSHFP record====
<syntaxhighlight lang="text">
$ dig +nosplit -t sshfp ruminant.console.bitfolk.com
 
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> +nosplit -t sshfp ruminant.console.bitfolk.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24933
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ruminant.console.bitfolk.com. IN      SSHFP


Attempting to SSH to a host which has a matching but untrusted key would look like this:
;; ANSWER SECTION:
ruminant.console.bitfolk.com. 280 IN    CNAME  console.leffe.bitfolk.com.
console.leffe.bitfolk.com. 83080 IN    CNAME  leffe.bitfolk.com.
leffe.bitfolk.com.      83080  IN      SSHFP  1 2 70EF70307DA9911ED8E01572B5DCB275114B7D7B5FBC5F55D9866C2BD8A8D4CD
</syntaxhighlight>


<syntaxhighlight>
Here, the host key fingerprint is
$ ssh justtesting@zimmermann.mayfirst.org
'''70EF70307DA9911ED8E01572B5DCB275114B7D7B5FBC5F55D9866C2BD8A8D4CD'''.
ms: processing: zimmermann.mayfirst.org
The '''ad''' part of the '''flags:''' line says that this is
ms:  checking keyserver pool.sks-servers.net...  
authenticated data. Without DNSSEC there would be no '''ad''' flag.
ms:  primary key found: D52E4D49860E8F9C
-------------------- Monkeysphere warning -------------------
Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
An OpenPGP key matching the ssh key offered by the host was found:


pub  2048R/860E8F9C 2008-10-29 [expires: 2011-09-10]
====2. Check the fingerprint of what you are actually connecting to====
uid      [ unknown] ssh://zimmermann.mayfirst.org
Your SSH client should have some way of showing you the fingerprint of
sig!        1CF2D62A 2008-11-16  Micah Anderson <micah@debian.org>
what you're trying to connect to. Newer versions of OpenSSH have a
sig!3        860E8F9C 2009-03-07  ssh://zimmermann.mayfirst.org
helper command '''ssh-keyscan''' for this:
sig!3        860E8F9C 2010-03-09  ssh://zimmermann.mayfirst.org
sig!3        860E8F9C 2010-09-10  ssh://zimmermann.mayfirst.org
sig!3        860E8F9C 2008-10-29  ssh://zimmermann.mayfirst.org
sig!        D21739E9 2008-10-29  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
sig!        2861A790 2010-03-09  Micah Anderson <micah@riseup.net>
RSA key fingerprint is 81:96:13:3e:24:c9:3c:5b:3c:6d:55:ba:58:85:e9:9e.
Other user IDs on this key:
uid      [ unknown] ssh://zimmerman.mayfirst.org


-------------------- ssh continues below --------------------
<syntaxhighlight lang="text">
The authenticity of host 'zimmermann.mayfirst.org (<no hostip for proxy command>)' can't be established.
$ ssh-keyscan -D ruminant.console.bitfolk.com
RSA key fingerprint is 81:96:13:3e:24:c9:3c:5b:3c:6d:55:ba:58:85:e9:9e.
ruminant.console.bitfolk.com. IN SSHFP 1 1 1c77d9c17157f69df07285cb683db6c84455a636
Are you sure you want to continue connecting (yes/no)?
ruminant.console.bitfolk.com. IN SSHFP 1 2 70ef70307da9911ed8e01572b5dcb275114b7d7b5fbc5f55d9866c2bd8a8d4cd
</syntaxhighlight>
</syntaxhighlight>


===Sign BitFolk's Monkeysphere keys===
As you can see,
Assuming that you have logged in to a BitFolk host that has a published SSH host key and you've verified that it really is the host that you intended to log into, it would help if you would also sign the key and upload it to the key servers. That way, anyone who trusts your signature will also be able to verify the key.
'''70ef70307da9911ed8e01572b5dcb275114b7d7b5fbc5f55d9866c2bd8a8d4cd'''
and
'''70EF70307DA9911ED8E01572B5DCB275114B7D7B5FBC5F55D9866C2BD8A8D4CD'''
are the same apart from case (which doesn't matter in DNS).


You sign and upload these OpenPGP SSH host keys the same way that you sign and upload any other OpenPGP key, so we're not going to go into the details here. You need to read and understand the documentation for your particular implementation of OpenPGP.
Only newer versions of '''ssh-keyscan''' support the '''-D''' option.
It's a bit tricker but older versions can be made to display similar
data:


===Publishing your own keys===
<syntaxhighlight lang="text">
Anyone can publish any OpenPGP key. The only way to tell if a given key is really what it says it is would be to trust the signatures on it. BitFolk will not be publishing keys for every <tt>'''''username''.console.bitfolk.com'''</tt> mapping, but you can publish them if you wish. You'll need to revoke it and publish it again any time that it changes. Given that it will only be useful for the very first time that you connect to it, this seems like a lot of work, but there's nothing stopping you.
$ ssh-keygen -r ruminant.console.bitfolk.com -f \
<(ssh-keyscan -t rsa ruminant.console.bitfolk.com 2>/dev/null \
| sed -r 's/^[^ ]+ //')
ruminant.console.bitfolk.com IN SSHFP 1 1 1c77d9c17157f69df07285cb683db6c84455a636
ruminant.console.bitfolk.com IN SSHFP 1 2 70ef70307da9911ed8e01572b5dcb275114b7d7b5fbc5f55d9866c2bd8a8d4cd
</syntaxhighlight>


Obviously, if you should find some key out there for your <tt>'''''username''.console.bitfolk.com'''</tt> and you ''didn't'' create/sign it, you should be extremely cautious about using it for anything!
Here you are still trusting the SSHFP records in DNS, so you still have
to trust that your local resolver validates DNSSEC.


==DNS==
===Verifying BitFolk SSH host fingerprints with PGP===
SSH fingerprints can also be stored in DNS. There is some support in various SSH clients for automatically requesting and verifying this.
If you can't trust your local resolver to validate DNSSEC then here's an
[http://en.wikipedia.org/wiki/Pretty_Good_Privacy OpenPGP]-signed text
file listing the SSH fingerprints of BitFolk hosts you might care about:


This is not yet implemented at BitFolk because [http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions DNSSEC] isn't yet implemented at BitFolk. Without DNSSEC you can't tell if the DNS answers you're receiving are correct. Once DNSSEC is implemented, SSH fingerprints will also be available in DNS.
* https://bitfolk.com/keys/ssh.txt


* [https://tools.bitfolk.com/redmine/issues/59 Feature request for DNSSEC on bitfolk.com]
You'll need to resolve the chain of hosts yourself to find out which
real host your console alias is pointing at, e.g.:
 
<syntaxhighlight lang="text">
$ host ruminant.console.bitfolk.com
ruminant.console.bitfolk.com is an alias for console.leffe.bitfolk.com.
console.leffe.bitfolk.com is an alias for leffe.bitfolk.com.
leffe.bitfolk.com has address 85.119.80.22
leffe.bitfolk.com has IPv6 address 2001:ba8:0:1f1::d
</syntaxhighlight>


==Fingerprints of the SSH host keys for your VPS==
==Fingerprints of the SSH host keys for your VPS==
Line 146: Line 180:
# Log in to your VPS and display its host key fingerprint
# Log in to your VPS and display its host key fingerprint


<syntaxhighlight>
<syntaxhighlight lang="text">
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub  
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub  
1024 62:4a:83:f4:3c:b4:ed:e1:ea:00:7d:be:96:b1:e5:7d /etc/ssh/ssh_host_rsa_key.pub (RSA)
1024 62:4a:83:f4:3c:b4:ed:e1:ea:00:7d:be:96:b1:e5:7d /etc/ssh/ssh_host_rsa_key.pub (RSA)
</syntaxhighlight>
</syntaxhighlight>

Latest revision as of 01:08, 13 April 2023

At some point or another you'll have a need to connect to a BitFolk host via SSH. For example, the Xen Shell is accessed via SSH. This article discusses how to verify the SSH fingerprints of BitFolk hosts.

SSH fingerprints

SSH uses public key cryptography to, amongst other things, verify that the host you're connecting to is really the host you intended to connect to. As is always the case with public key cryptography though, the initial key exchange has to be done by some other secure method. SSH displays fingerprints so that you can easily verify that you're connecting to the correct place. If you've ever seen something like this: 

$ ssh strugglers.net
The authenticity of host 'strugglers.net (212.13.194.70)' can't be established.
RSA key fingerprint is 3d:34:13:36:9e:10:ac:20:5c:a6:38:fa:e8:3e:a0:2a.
Are you sure you want to continue connecting (yes/no)?

then you've seen an SSH fingerprint - it's the 3d:34:13:36:9e:10:ac:20:5c:a6:38:fa:e8:3e:a0:2a part.

In order to securely connect to the above host for the first time, you need to have been given the fingerprint in advance by some secure means so that you can compare it to the fingerprint that the server shows you. If you haven't then you are trusting DNS that this host is really the one that you intended to connect to. Most people just type yes and trust DNS.

SSH fingerprints of BitFolk hosts

The following examples assume that your BitFolk account name is "ruminant" and you're trying to connect to its Xen Shell host.

Verifying BitFolk SSH host fingerprints with SSH itself

All of the BitFolk hosts that customers are expected to ever SSH to have their SSH host fingerprints stored in DNS and secured by DNSSEC. So, if:

  • your local DNS resolver validates DNSSEC and;
  • you've configured your SSH client to do so;

then your SSH client can verify BitFolk's SSH host fingerprints by itself.

For OpenSSH the configuration option is VerifyHostKeyDNS and it defaults to no. You would normally set it in your client configuration file but it can also be set on the command line: 

$ ssh -v -oVerifyHostKeyDNS=yes ruminant@ruminant.console.bitfolk.com
[…]
debug1: found 1 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
[…]
This computer system is the property of BitFolk Ltd.

Disconnect NOW if you have not been expressly authorised to
use this system.  Unauthorised use is a criminal offence 
under the Computer Misuse Act 1990.

Communications on or through BitFolk's computer systems may
be monitored or recorded to secure effective system
operation and for other lawful purposes.

Password:

If you do not have a recursor performing DNSSEC validation you'll see something like: 

$ ssh -v -oVerifyHostKeyDNS=yes ruminant@ruminant.console.bitfolk.com
[…]
debug1: found 1 insecure fingerprints in DNS
debug1: verify_host_key_dns: matched SSHFP type 1 fptype 2
debug1: matching host key fingerprint found in DNS
[…]
The authenticity of host 'ruminant.console.bitfolk.com (85.119.80.22)' can't be established.
RSA key fingerprint is SHA256:cO9wMH2pkR7Y4BVytdyydRFLfXtfvF9V2YZsK9io1M0.
Matching host key fingerprint found in DNS.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

At this point SSH has validated the host key via DNS, but not in a secure way, it then asks you the normal TOFU question with the extra line: "Matching host key fingerprint found in DNS."; it is up to you whether you trust it at this point.

Configuring VerifyHostKeyDNS for all hosts will result in an extra DNS lookup on each SSH connection. You may wish to add something like this to ~/.ssh/config: 

Host *.console.bitfolk.com
  VerifyHostKeyDNS yes

Note that if you do not run your own DNS recursor (e.g. you use the one supplied by your ISP, a public DNS recursor or whatever the local network you happen to be on provides to you by DHCP) then it is theoretically possible that this recursor might lie to you about the DNSSEC-authenticated nature of the responses it gives you.

Manually checking the fingerprints from DNS

If your SSH client of choice does not support checking SSHFP records then you can check them yourself.

1. Query the SSHFP record

$ dig +nosplit -t sshfp ruminant.console.bitfolk.com

; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> +nosplit -t sshfp ruminant.console.bitfolk.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24933
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ruminant.console.bitfolk.com.  IN      SSHFP

;; ANSWER SECTION:
ruminant.console.bitfolk.com. 280 IN    CNAME   console.leffe.bitfolk.com.
console.leffe.bitfolk.com. 83080 IN     CNAME   leffe.bitfolk.com.
leffe.bitfolk.com.      83080   IN      SSHFP   1 2 70EF70307DA9911ED8E01572B5DCB275114B7D7B5FBC5F55D9866C2BD8A8D4CD

Here, the host key fingerprint is 70EF70307DA9911ED8E01572B5DCB275114B7D7B5FBC5F55D9866C2BD8A8D4CD. The ad part of the flags: line says that this is authenticated data. Without DNSSEC there would be no ad flag.

2. Check the fingerprint of what you are actually connecting to

Your SSH client should have some way of showing you the fingerprint of what you're trying to connect to. Newer versions of OpenSSH have a helper command ssh-keyscan for this: 

$ ssh-keyscan -D ruminant.console.bitfolk.com
ruminant.console.bitfolk.com. IN SSHFP 1 1 1c77d9c17157f69df07285cb683db6c84455a636
ruminant.console.bitfolk.com. IN SSHFP 1 2 70ef70307da9911ed8e01572b5dcb275114b7d7b5fbc5f55d9866c2bd8a8d4cd

As you can see, 70ef70307da9911ed8e01572b5dcb275114b7d7b5fbc5f55d9866c2bd8a8d4cd and 70EF70307DA9911ED8E01572B5DCB275114B7D7B5FBC5F55D9866C2BD8A8D4CD are the same apart from case (which doesn't matter in DNS).

Only newer versions of ssh-keyscan support the -D option. It's a bit tricker but older versions can be made to display similar data: 

$ ssh-keygen -r ruminant.console.bitfolk.com -f \
<(ssh-keyscan -t rsa ruminant.console.bitfolk.com 2>/dev/null \
| sed -r 's/^[^ ]+ //')
ruminant.console.bitfolk.com IN SSHFP 1 1 1c77d9c17157f69df07285cb683db6c84455a636
ruminant.console.bitfolk.com IN SSHFP 1 2 70ef70307da9911ed8e01572b5dcb275114b7d7b5fbc5f55d9866c2bd8a8d4cd

Here you are still trusting the SSHFP records in DNS, so you still have to trust that your local resolver validates DNSSEC.

Verifying BitFolk SSH host fingerprints with PGP

If you can't trust your local resolver to validate DNSSEC then here's an OpenPGP-signed text file listing the SSH fingerprints of BitFolk hosts you might care about:

You'll need to resolve the chain of hosts yourself to find out which real host your console alias is pointing at, e.g.: 

$ host ruminant.console.bitfolk.com
ruminant.console.bitfolk.com is an alias for console.leffe.bitfolk.com.
console.leffe.bitfolk.com is an alias for leffe.bitfolk.com.
leffe.bitfolk.com has address 85.119.80.22
leffe.bitfolk.com has IPv6 address 2001:ba8:0:1f1::d

Fingerprints of the SSH host keys for your VPS

BitFolk cannot publish the fingerprints of the SSH host keys of your VPS because BitFolk doesn't know what host name you will be using to connect to it.

BitFolk could conceivably publish a host key for the IP address literal that you use to connect to your VPS for the first time, but this would change even more often than the console host mappings, so it would be a significant administrative burden.

For VPSes installed on your behalf, BitFolk does of course have access to the SSH host key and could communicate the fingerprint to you in your setup email, which is also OpenPGP-signed. That isn't yet implemented.

The very first time you want to connect to your new VPS, you can still work around this by instead first connecting to the Xen Shell, since this is a host whose key you can verify.

  1. If you don't have the password for your BitFolk account you can do a BitFolk password reset to have a new one generated and emailed to you.
  2. Work out what your real console host is.
  3. SSH to it and verify its host key by any of the methods above.
  4. Use the console command to connect to the console of your VPS
  5. Log in to your VPS and display its host key fingerprint
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 
1024 62:4a:83:f4:3c:b4:ed:e1:ea:00:7d:be:96:b1:e5:7d /etc/ssh/ssh_host_rsa_key.pub (RSA)
Retrieved from "https://tools.bitfolk.com/w/index.php?title=Verifying_BitFolk%27s_SSH_fingerprints&oldid=1895"