Comments on: ssh-keygen randomart

By: Ian

Ian — Wed, 09 Jun 2010 15:48:30 +0000

I don’t believe its meant as an authoritative check, just a visual confirmation. If you ssh to a host you use frequently and the “fingerprint” is radically different, then you might be the subject of a “man-in-the-middle” type of attack. Currently you just get the “unknown host key” message the first time, which people are accustomed to just answering “yes” to.

By: dsafd

dsafd — Thu, 03 Jun 2010 19:41:28 +0000

Try comparing two ssh key fingerprints visually using hex values, and then by using randomart. I think doing the latter is much easier and quicker.

By: geofft

geofft — Wed, 03 Feb 2010 08:56:17 +0000

Yeah, I’ve never been convinced by randomart. Are you actually going to be able to distinguish more than 2^smallnum randomart images from each other? (I could probably count two or three bits for rough shape, two bits for location, a bit or two for whether it’s overwhelmingly Os or dots… that’s about it.) Given that randomart, how long does it take for me to generate a key whose randomart you can’t distinguish from the original?

If I care about authenticating this machine from a client I’ve never used before to connect to it, I’ll write down the entire fingerprint and put it in my wallet.

By: evan

evan — Tue, 19 Jan 2010 22:30:48 +0000

Oh, wow – that’s really cool. I never noticed that.

It’s obviously better than not verifying the keys at all (which *cough* I have certainly been guilty of before), but I wonder how much verifying keys by “the shape of the randomart” diminishes the security of the verification vs. checking against the fingerprint.

By: Jim

Jim — Tue, 19 Jan 2010 02:30:46 +0000

Btw, set VisualHostKey=yes and you’ll see a host’s randomart when you log in.

By: Jim

Jim — Tue, 19 Jan 2010 02:29:55 +0000

It’s so you can visually recognize the fingerprint. It’s a lot easier to recall that the pattern looks like what you remembered, than to recall even half of the fingerprint’s hex values.