Bootstrap FreeKB - SSH - Resolve "The authenticity of host can't be established"
SSH - Resolve "The authenticity of host can't be established"
Updated:   |  SSH articles

Let's say something like this is being returned when attempting to make an SSH connection to an SSH server.

~]# ssh john.doe@server1.example.com
The authenticity of host 'server1 (192.168.0.5)' can't be established
DSA key fingerprint is BB37 83F2 5E3A 7A4C 6C84  F047 D97B DD4E 38BB 2082
Are you sure you want to continue connecting (yes/no)?

 

This means the SSH servers key are not in your /home/your_username/.ssh/known_hosts file. Typing no at the prompt should return the following.

Host key verification failed

 

Entering yes will tell the SSH server to send it's public certificate to the client requesting the SSH connection. For example, if the SSH server is an Linux system using OpenSSH, the OpenSSH system would most likely have the following public certificates which would be sent to the client system requesting the SSH connection and one of the public certificates will be appended to your /home/username/.ssh/known_hosts file.

/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_rsa_key.pub

 

And the following prompt will appear. This prompt will also appear when an SSH servers public certificate is in the /etc/ssh/ssh_known_hosts file but is not in a users /home/username/.ssh/known_hosts file.

Warning: Permanently added 'server1.example.com,10.17.144.15' (ECDSA) to the list of known hosts.

 

The ssh-keyscan command can be used to get an SSH servers SSH keys. In this example, the SSH keys from server1.example.com will be returned.

ssh-keyscan server1.example.com

 

The prior command should produce output like this. Notice there are two keys, one is the ECDSA key, and the other is the SSH key.

server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHXIAfxTJu1y7QdQNrk6xh41FH1fqIVbG2Skvhx49PDfvm5pCdiyHqPP0pcyM7UGJOAPazKNENGZtqmnH8CUDo0=
server1.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMwKQuwRNdPMrcw6keHLMiVwPJWvy0XVqaybWxqQQ5ll

 

If you want to get a certain type of key, the -t option can be used.

ssh-keyscan -t ecdsa server1.example.com

 

By default, the SSH connection will be made on port 22. If the target system is listening for SSH connections on some other port, the -p option can be used. 

ssh-keyscan -p 12345 server1.example.com

 

And this command can be used to append the SSH servers keys to your /home/your_username/.ssh/known_hosts file.

ssh-keyscan server1.example.com >> $HOME/.ssh/known_hosts

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter bcba82 in the box below so that we can be sure you are a human.