diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2008-06-14 01:04:26 +0200 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2008-06-14 01:04:26 +0200 |
| commit | f6bffb13911564cc80c01c10b71acfba4f315315 (patch) | |
| tree | 3f00bee376dfd1165a023ac1a000614bb297509f /ssh.1 | |
| parent | - dtucker@cvs.openbsd.org 2008/06/13 18:55:22 (diff) | |
| download | openssh-f6bffb13911564cc80c01c10b71acfba4f315315.tar.xz openssh-f6bffb13911564cc80c01c10b71acfba4f315315.zip | |
- grunk@cvs.openbsd.org 2008/06/13 20:13:26
[ssh.1]
Explain the use of SSH fpr visualization using random art, and cite the
original scientific paper inspiring that technique.
Much help with English and nroff by jmc@, thanks.
Diffstat (limited to '')
| -rw-r--r-- | ssh.1 | 39 |
1 files changed, 34 insertions, 5 deletions
@@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.273 2008/02/11 07:58:28 jmc Exp $ -.Dd $Mdocdate: February 11 2008 $ +.\" $OpenBSD: ssh.1,v 1.274 2008/06/13 20:13:26 grunk Exp $ +.Dd $Mdocdate: June 13 2008 .Dt SSH 1 .Os .Sh NAME @@ -1027,9 +1027,31 @@ Fingerprints can be determined using .Pp .Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key .Pp -If the fingerprint is already known, -it can be matched and verified, -and the key can be accepted. +If the fingerprint is already known, it can be matched +and the key can be accepted or rejected. +Because of the difficulty of comparing host keys +just by looking at hex strings, +there is also support to compare host keys visually, +using +.Em random art . +By setting the +.Cm CheckHostIP +option to +.Dq fingerprint , +a small ASCII graphic gets displayed on every login to a server, no matter +if the session itself is interactive or not. +By learning the pattern a known server produces, a user can easily +find out that the host key has changed when a completely different pattern +is displayed. +Because these patterns are not unambiguous however, a pattern that looks +similar to the pattern remembered only gives a good probability that the +host key is the same, not guaranteed proof. +.Pp +To get a listing of the fingerprints along with their random art for +all known hosts, the following command line can be used: +.Pp +.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts +.Pp If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints verified by DNS. @@ -1433,6 +1455,13 @@ manual page for more information. .%T "The Secure Shell (SSH) Public Key File Format" .%D 2006 .Re +.Rs +.%T "Hash Visualization: a New Technique to improve Real-World Security" +.%A A. Perrig +.%A D. Song +.%D 1999 +.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" +.Re .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. |