Fingerprints
In order to prevent a Man-In-The-Middle attack (MITM)?, SSH requires you to check the fingerprints of the server you connect to. Fingerprints for the IRCNOW network servers can be found here for example.
Your SSH Fingerprints
When ssh server is installed, it stores its keys in /etc/ssh. You can run this script to quickly get the ssh fingerprints for all your keys:
ssh-keygen -E md5 -lf /etc/ssh/ssh_host_dsa_key.pub ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ecdsa_key.pub ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ed25519_key.pub ssh-keygen -E md5 -lf /etc/ssh/ssh_host_rsa_key.pub ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
The first four fingerprints use MD5 hashing, which is used by PuTTY. The last four uses SHA256 hashing, which is used by OpenSSH?.
Publish SSHFP
A convenient place to publish ssh fingerprints is in DNS using SSHFP records:
$ ssh-keygen -r example.com. example.com IN SSHFP 1 1 7251d06cf5cf9312b502388edd93ff924c52a73a example.com IN SSHFP 1 2 a0f433e68e5ba29f23825b21a23660d94a5b8a814cd71827fb75cfb4e84e4c49 example.com IN SSHFP 2 1 22ccda0cafee42f3e2cc53d5f695244677a1a88f example.com IN SSHFP 2 2 88fbc099391d1e37330409978e68bdeebc50fe9bc41c5e2fd4a2d29ecde20409 example.com IN SSHFP 3 1 c9a19b42a7165596f0d0e5bfa947232978901dcb example.com IN SSHFP 3 2 6a9facbb8693644063b1eee91cfce24ada5536ff52df98210fae3d350fffaf34 example.com IN SSHFP 4 1 4dc3d59ef28733c89f83e0e078b10a4a816e2a04 example.com IN SSHFP 4 2 a1f1388dff27d02f942ea5a9e2cb6008ae3e0a61622e5ff2b1ce746b32049152
Replace example.com. with your domain, making sure to include the final period for a fully qualified domain name (FQDN). ssh will generate all of your SSHFP records for you, which can then be added to your nameserver's zone files.
SSHFP records follow this format:
<Name> [<TTL>] [<Class>] SSHFP <Algorithm> <Type> <Fingerprint>
| Keyword | Meaning |
|---|---|
| TTL | Time to live (seconds) |
| Protocol | IN for Internet |
| Algorithm | 0: reserved; 1: RSA; 2: DSA, 3: ECDSA; 4: Ed25519 |
| Type | Hash -- 0: reserved; 1: SHA-1; 2: SHA-256) |
| Fingerprint | Hexadecimal of hash |