ssh-keygen randomart
January 18th, 2010 @ 2:35 pm UTC by evanSo, at some point in the recent past (I don’t think I noticed when), ssh-keygen started displaying a “randomart” representation of keys that it generates:
fanty:~ evan$ ssh-keygen -f test -C evan Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in test. Your public key has been saved in test.pub. The key fingerprint is: 20:e9:b0:5b:5a:2b:ad:e8:4d:e4:b3:a0:32:49:2d:97 evan The key's randomart image is: +--[ RSA 2048]----+ | | | . | | . o . | | + . . | | o.= S | | ooE . | |.o*+o | |=.+oo | |=o.o | +-----------------+
Does anybody know why or what it’s supposed to mean?
It’s so you can visually recognize the fingerprint. It’s a lot easier to recall that the pattern looks like what you remembered, than to recall even half of the fingerprint’s hex values.
Btw, set VisualHostKey=yes and you’ll see a host’s randomart when you log in.
Oh, wow – that’s really cool. I never noticed that.
It’s obviously better than not verifying the keys at all (which *cough* I have certainly been guilty of before), but I wonder how much verifying keys by “the shape of the randomart” diminishes the security of the verification vs. checking against the fingerprint.
Yeah, I’ve never been convinced by randomart. Are you actually going to be able to distinguish more than 2^smallnum randomart images from each other? (I could probably count two or three bits for rough shape, two bits for location, a bit or two for whether it’s overwhelmingly Os or dots… that’s about it.) Given that randomart, how long does it take for me to generate a key whose randomart you can’t distinguish from the original?
If I care about authenticating this machine from a client I’ve never used before to connect to it, I’ll write down the entire fingerprint and put it in my wallet.
Try comparing two ssh key fingerprints visually using hex values, and then by using randomart. I think doing the latter is much easier and quicker.
I don’t believe its meant as an authoritative check, just a visual confirmation. If you ssh to a host you use frequently and the “fingerprint” is radically different, then you might be the subject of a “man-in-the-middle” type of attack. Currently you just get the “unknown host key” message the first time, which people are accustomed to just answering “yes” to.