tags:

views:

21

answers:

1
+1  Q: 

PuTTY Security Alert - What does key fingerprint mean?

Hello,

I have another question to security in the web world.

So I read (and ask :P) about certificates and think I got what it is and how it works. My next question is putty specific. When I open a connection with putty to a new server with ssh (port: 22) I get a PuTTY Security Alert:

The server's host key is not chacked in the registry. You have to guarantee that the server is the computer you think it is. The server's xxxx key fingerprint is: yyyyyyyyyyyyyyyyyyyyyyyyyyy If you trust this host, hit Yes... etc.

Now I am wondering what a key fingerprint means. Is that just a certificate which putty hasn't in is cache yet?

thanks.

SCBoy

A: 

Those are the first bytes of the server certificate public key. The idea is that the key is a random number, so the first bytes are random too and therefore knowing that those first bytes are the same for two keys would likely mean that the keys are actually the same.

You can use this to validate the server. You could for example call the administrator of that server and ask him for the fingerprint of the key to validate that it's indeed the key of that server, not some man-in-the-middle server belonging to a malicious party.

sharptooth  2010-10-15 14:10:30
But why is it only the first time? Because a certificate gets downloaded after clicking yes?
SCBoy  2010-10-15 14:14:54
@SCBoy: Usually that's because after you click "accept" PuTTY will memorize somewhere (in the registry I suppose) that you've accepted that fingerprint and so next time the certificate will be treated as a trustworthy one.
sharptooth  2010-10-15 14:18:55
ah thanks alot.
SCBoy  2010-10-15 14:20:30
@SCBoy: You're welcome.
sharptooth  2010-10-15 14:21:10
Actually, what is usually meant by a "fingerprint" of a public key is not just the first few bytes of the key but a hash of the whole key value. I'm not sure what PuTTY uses but the docs say that it "is derived cryptographically from the public key".
dajames  2010-10-15 19:02:38

related questions

Is there a better Java implementation of SSH2 than JSch?
Check out from a remote SVN repository TO a remote location?
Download files to local drive when sshed
Are there any good free .Net network libraries? (FTP, SFTP, SSH, etc.)
How do you install an ssh server on qnx?
How do I remove the passphrase for the SSH key without having to create a new key?
ssh-agent with passwords without spawning too many processes
Why does cisco IOS require domain-name to be set before SSH keys can be generated?
Setting the default ssh key location
Managing authorized_keys on a large number of hosts.
Inter-convertability of asymmetric key containers (eg: X.509, PGP, OpenSSH)
Which is the best way to bring a file from a remote host to local host over an SSH session?
Is it possible to forward ssh requests that come in over a certain port to another machine?
Can you have virtual users using an SFTP server?
Why does Vista complain about a dead process when I use Cygwin X11 ssh and how do I get it to shut up?
ssh hangs when command invoked directly, but exits cleanly when run interactive
Getting ssh to execute a command in the background on target machine
How do you use ssh in a shell script?
Avoid traffic shaping by using ssh on port 443
Alternative SSH Application to Plink
What are some good SSH Servers for windows?
Keep Remote Directory Up-to-date
Allow user to set up an SSH tunnel, but nothing else
How do I setup Public-Key Authentication?
Gtk SSH client for Linux?