Header Only - DO NOT REMOVE - Extreme Networks

How to view ssh public key "fingerprint" on the switch?


Userlevel 2
Hi Guys,

A quick question for you. How do l view ssh public key "fingerprint" on the switch when presented using PuTTy?

13 replies

Userlevel 6
Hi

I believe they are stored in the registry:



-Gareth
Gareth Mitchell wrote:

Hi

I believe they are stored in the registry:



-Gareth

Hi Gareth,

Thank you for your reply. But l want to check it on the switch side, not from the PuTTy. Sorry question wording is not clear. Will edit it in a bit
Userlevel 6
Gareth Mitchell wrote:

Hi

I believe they are stored in the registry:



-Gareth

Sorry my bad, I misread the question completely.
Userlevel 4
Hi,

Try:
"show sshd2 user-key"
"show ssh2 private-key"
Dorian Perry wrote:

Hi,

Try:
"show sshd2 user-key"
"show ssh2 private-key"

Hi Dorian,

SW1-MGMT.2 # show sshd2 user-key
---------------------------------------------------------------------------------------
# Key name Subject Comment
---------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------
# is the number of users bound to the key
SW1-MGMT.2 # show ssh

The output empty.

SW1-MGMT.2 # show ssh2 private-key

2d:2d:2d:2d:20:42:45:47:49:4e:20:53:53:48:32:20:45:4e:43:52:59:50:54:45:44:20:50:52:49:56:41:54:45:20:4b:45:59:20:2d:2d:2d:2d:0a:53:75:62:6a:65:63:74:3a:20:72:6f:6f:74:0a:43:6f:6d:6d:65:6e:74:3a:20:22:32:30:34:38:2d:62:69:74:20:44:53:41:20:6b:65:79:2c:20:72:6f:6f:74:2c:20:57:65:64:20:41:75:67:20:20:33:20:30:30:3a:30:30:3a:32:31:20:32:30:31:36:22:0a:50:32:2f:35:36:77:41:41:41:34:49:41:41:41:41:6d:5a:47:77:74:62:57:39:6b:63:48:74:7a:61:57:64:75:65:32:52:7a:59:53:31:75:61:58:4e:30:4c:58:4e:6f:59:54:46:39:4c:47:52:6f:65:33:42:73:59:57:6c:75:66:58:30:41:41:41:41:45:0a:62:6d:39:75:5a:51:41:41:41:30:51:41:41:41:4e:41:41:41:41:41:41:41:41:41:43:41:43:45:6f:2b:75:43:2b:6a:51:72:6b:6e:55:75:75:2b:70:65:63:41:4f:66:57:7a:43:6e:4f:35:6a:4e:69:65:4d:58:53:57:56:48:65:67:38:42:6f:32:56:4d:0a:4c:37:4e:31:51:4b:4e:43:6e:6a:39:33:43:67:58:2f:38:6f:75:65:67:52:74:64:52:68:41:4b:32:31:65:64:6c:67:61:7a:31:4f:69:38:65:2f:30:6b:52:30:63:6b:4f:67:6a:38:34:69:70:39:36:58:55:62:6d:31:4c:65:52:6b:34:55:66:62:4f:62:0a:2b:5a:58:6e:62:45:48:47:66:31:54:76:72:79:63:64:37:4d:72:6a:72:43:42:46:5a:6b:4e:73:71:6f:72:36:55:42:78:30:59:35:4c:75:2f:32:54:59:71:76:73:4a:37:30:4c:52:4d:67:38:74:30:36:32:5a:61:55:48:36:59:47:32:48:4f:76:48:50:0a:53:56:35:65:61:7a:57:46:41:34:5a:57:6d:46:52:71:63:61:4f

I have removed few lines (for the security reason) 🙂 but still, cannot compare "fingerprint." So ssh fingerprint is a short vertion of the public key. Let's say l want to verify my ssh server using fingerprint presented during ssh challenge. Assume l do have access to the ssh server.
Userlevel 7
Dorian Perry wrote:

Hi,

Try:
"show sshd2 user-key"
"show ssh2 private-key"

Hi,

the output of "show ssh2 private-key" is a hex dump of the ASCII armored private key. The fingerprint shown by PuTTY is a hex dump of an MD5 checksum over the public key.

I'd like to request the introduction of "show ssh2 public-key" and "show ssh2 public-key fingerprint" commands in EXOS. The latter could even expose several fingerprint methods that are currently in use (MD5 hex dump, SHA256 base64 encoded, ASCII art). 🙂

Erik
Userlevel 7
Dorian Perry wrote:

Hi,

Try:
"show sshd2 user-key"
"show ssh2 private-key"

To add some more info:

It should be possible to extract the public key from the private key using "ssh-keygen -y -f", but at least EXOS 15.3 shows an encrypted key with unknown passphrase.

An EXOS 21.1 VM shows an unencrypted private key that can be transformed to be used as input to "ssh-keygen -y -f", which correctly extracts the public key in base64 encoded form. This can be used with "ssh-keygen -l -f" to display the fingerprint.

That is quite a tedious procedure, at least a command to show the fingerprint in the switch CLI would be useful.

Erik
Userlevel 2
Dorian Perry wrote:

Hi,

Try:
"show sshd2 user-key"
"show ssh2 private-key"

Hi Erik,

Thank you for your reply. I am unable to use these commands:

primary.cfg Created by ExtremeXOS version 15.3.5.2 154747 bytes saved on Wed Aug 3 01:58:43 2016
SW1-MGMT.7 # ssh-keygen -y -f
^
%% Invalid input detected at '^' marker.
SW1-MGMT.8 # show ssh2 public-key fingerprint
^
%% Invalid input detected at '^' marker.
SW1-MGMT.9 #

The information you have provided is very useful. But it is related more to the Linux/Unix operation system.

Cheers,
Mykhaylo
Userlevel 7
Dorian Perry wrote:

Hi,

Try:
"show sshd2 user-key"
"show ssh2 private-key"

Sorry, those are Linux commands... The private key from EXOS show output can be transformed to be compatible with Linux tools. Those can be used on Linux to view the fingerprint. Unless the key shown by EXOS is encrypted with an unknown password.

The procedure is a bit involved, therefore I did not write down all of the steps.

Erik
Userlevel 2
Dorian Perry wrote:

Hi,

Try:
"show sshd2 user-key"
"show ssh2 private-key"

Hi Erik,

Ok good. Now l understood the whole process.

Thanks,
Mykhaylo
Userlevel 7
Hi,

SSH authenticates both communication endpoints, server and client. The server is authenticated with the public host key in a "trust on first use" model. On the first connection, the fingerprint of the server's public key is displayed to the user, who has to decide whether to trust this key or not. This decision is facilitated by checking the server's public host key's fingerprint out-of-band, e.g. when connected via serial console.

Current EXOS does not support checking the host key fingerprint. 😞

To work around this limitation, one can copy the private key of the EXOS switch to e.g. a GNU/Linux system, and then use tools usually available on GNU/Linux to determine the fingerprint. This works for not encrypted private keys only. The private key of a device should not be copied to another system, as such the copied key needs to be securely deleted after generating the fingerprint.

  1. Display private host key on EXOSshow ssh2 private-key [/code]
  2. [/code]Copy&paste private key to file privkey.exos on GNU/Linux touch privkey.exos chmod 0600 privkey.exos cat > privkey.exos[/code]
  3. Convert EXOS key format to OpenSSH format on GNU/Linux touch privkey.openssh chmod 0600 privkey.openssh tr -dc '[:xdigit:]' < privkey.exos | xxd -p -r > privkey.openssh[/code]
  4. Generate public key from private key on GNU/Linuxssh-keygen -y -f privkey.openssh > pubkey.openssh[/code]
  5. Remove private key files (may not be secure) on GNU/Linuxshred -u privkey.exos privkey.openssh[/code]
  6. Generate fingerprint on GNU/Linuxssh-keygen -l -f pubkey.openssh | cut -d' ' -f2[/code]
The public key may be disclosed, deletion is not necessary. Step two can be omitted if you copy&paste directly into "tr".

Best regards,
Erik
Userlevel 6
Erik Auerswald wrote:

Hi,

SSH authenticates both communication endpoints, server and client. The server is authenticated with the public host key in a "trust on first use" model. On the first connection, the fingerprint of the server's public key is displayed to the user, who has to decide whether to trust this key or not. This decision is facilitated by checking the server's public host key's fingerprint out-of-band, e.g. when connected via serial console.

Current EXOS does not support checking the host key fingerprint. 😞

To work around this limitation, one can copy the private key of the EXOS switch to e.g. a GNU/Linux system, and then use tools usually available on GNU/Linux to determine the fingerprint. This works for not encrypted private keys only. The private key of a device should not be copied to another system, as such the copied key needs to be securely deleted after generating the fingerprint.

  1. Display private host key on EXOSshow ssh2 private-key [/code]
  2. [/code]Copy&paste private key to file privkey.exos on GNU/Linuxtouch privkey.exoschmod 0600 privkey.exoscat > privkey.exos[/code]
  3. Convert EXOS key format to OpenSSH format on GNU/Linuxtouch privkey.opensshchmod 0600 privkey.opensshtr -dc '[:xdigit:]' < privkey.exos | xxd -p -r > privkey.openssh[/code]
  4. Generate public key from private key on GNU/Linuxssh-keygen -y -f privkey.openssh > pubkey.openssh[/code]
  5. Remove private key files (may not be secure) on GNU/Linuxshred -u privkey.exos privkey.openssh[/code]
  6. Generate fingerprint on GNU/Linuxssh-keygen -l -f pubkey.openssh | cut -d' ' -f2[/code]
The public key may be disclosed, deletion is not necessary. Step two can be omitted if you copy&paste directly into "tr".

Best regards,
Erik

Very clever Erik. I'll make sure Drew gets this to our Dev team as a point of discussion.
Userlevel 2
Erik Auerswald wrote:

Hi,

SSH authenticates both communication endpoints, server and client. The server is authenticated with the public host key in a "trust on first use" model. On the first connection, the fingerprint of the server's public key is displayed to the user, who has to decide whether to trust this key or not. This decision is facilitated by checking the server's public host key's fingerprint out-of-band, e.g. when connected via serial console.

Current EXOS does not support checking the host key fingerprint. 😞

To work around this limitation, one can copy the private key of the EXOS switch to e.g. a GNU/Linux system, and then use tools usually available on GNU/Linux to determine the fingerprint. This works for not encrypted private keys only. The private key of a device should not be copied to another system, as such the copied key needs to be securely deleted after generating the fingerprint.

  1. Display private host key on EXOSshow ssh2 private-key [/code]
  2. [/code]Copy&paste private key to file privkey.exos on GNU/Linuxtouch privkey.exoschmod 0600 privkey.exoscat > privkey.exos[/code]
  3. Convert EXOS key format to OpenSSH format on GNU/Linuxtouch privkey.opensshchmod 0600 privkey.opensshtr -dc '[:xdigit:]' < privkey.exos | xxd -p -r > privkey.openssh[/code]
  4. Generate public key from private key on GNU/Linuxssh-keygen -y -f privkey.openssh > pubkey.openssh[/code]
  5. Remove private key files (may not be secure) on GNU/Linuxshred -u privkey.exos privkey.openssh[/code]
  6. Generate fingerprint on GNU/Linuxssh-keygen -l -f pubkey.openssh | cut -d' ' -f2[/code]
The public key may be disclosed, deletion is not necessary. Step two can be omitted if you copy&paste directly into "tr".

Best regards,
Erik

Hi Erik,

Wow, thanks for this. Really detailed answer.

Thanks all,
Mykhaylo

Reply