Hi,
SSH authenticates both communication endpoints, server and client. The server is authenticated with the public host key in a "trust on first use" model. On the first connection, the fingerprint of the server's public key is displayed to the user, who has to decide whether to trust this key or not. This decision is facilitated by checking the server's public host key's fingerprint out-of-band, e.g. when connected via serial console.
Current EXOS does not support checking the host key fingerprint.
😞
To work around this limitation, one can copy the private key of the EXOS switch to e.g. a GNU/Linux system, and then use tools usually available on GNU/Linux to determine the fingerprint. This works for not encrypted private keys only. The private key of a device should
not be copied to another system, as such the copied key needs to be securely deleted after generating the fingerprint.
- Display private host key on EXOSshow ssh2 private-key
- Copy&paste private key to file privkey.exos on GNU/Linux
touch privkey.exos
chmod 0600 privkey.exos
cat > privkey.exos
- Convert EXOS key format to OpenSSH format on GNU/Linux
touch privkey.openssh
chmod 0600 privkey.openssh
tr -dc '[:xdigit:]' < privkey.exos | xxd -p -r > privkey.openssh
- Generate public key from private key on GNU/Linuxssh-keygen -y -f privkey.openssh > pubkey.openssh
- Remove private key files (may not be secure) on GNU/Linuxshred -u privkey.exos privkey.openssh
- Generate fingerprint on GNU/Linuxssh-keygen -l -f pubkey.openssh | cut -d' ' -f2
The public key may be disclosed, deletion is not necessary. Step two can be omitted if you copy&paste directly into "tr".
Best regards,
Erik
