Portal Home > Knowledgebase > Articles Database > Fingerprints don't match
Posted by RobInRockCity, 02-17-2015, 07:13 PM I am trying to set up SSH Key-Authentication for when I use CyberDuck to connect to my VPS. I just ran the following on my MacBook... It generated these files in ~/.ssh/ (I added a passphrase to the private key as well.) Next I opened up the Public Key, and copied the contents. From there, I went into cPanel > Manage SSH Keys and I pasted the Public Key contents into the appropriate field and clicked "Import Key". Finally, I clicked "Authorize" in cPanel to authorize the Public Key. When I went into CyberDuck to connect to my VPS over SSH, the Fingerprint that came up did NOT match the Fingerprint that was generated immediately after I created the Key-Pair. What went wrong? Rob
Posted by david_was_here, 02-17-2015, 07:20 PM Number 1, make sure there's no blank, empty spaces at the beginning or end of the key. that's a pretty common thing. Second, check your SSHD config to make sure the daemon is even configured to accept keys and ensure they are pointing to the correct path. For RHEL/CentOS/Fedora: Third, if you attached and uploaded the key and you had opened the key in notepad or something like that, there could be differences in the file format due to the Windows->Linux (see dos2unix) Fourth, you can regenerate the public key to make sure something didn't explode. You can regenerate it using the following:
Posted by RobInRockCity, 02-17-2015, 07:57 PM Check. My web host should have done that, but who knows. I use TextWrangler on my Mac. Now the form in cPanel won't let me delete the Public Key, so it looks like I just got stuck with a big advanced support bill... *sigh* Rob
Posted by RobInRockCity, 02-17-2015, 08:03 PM Could there be a problem with having my local computer's hostname at the end of the Public Key... ---- Also, support told me that I should use the wizard and create the key-pair on the VPS and then transfer the Private Key to my Mac. I do NOT like that idea since the Private Key is the one you are supposed to protect!! All of the tutorials I have seen online talk about running ssh-keygen on your local computer and then somehow getting the public key to the server, so I hope that isn't the issue. It dumbfounds me how the Fingerprints are not matching... I highly doubt it is a MITMA - more like just me screwing something up?! Rob
Posted by Website themes, 02-18-2015, 01:19 AM The fingerprint that you get prompted over is the HOST's fingerprint i.e. the fingerprint of the key pair on the VPS not your personal key pair. You see authentication goes two ways. You are authenticating the server and the server is authenticating you. The prompt is for confirming that the server is the one you expect to connect to. So how to tell what the correct server fingerprint is? You could ask your hosting provider or just enter yes and trust it implicitly. You will only be prompted the first time you connect to a new server. If you had root console access you could do the following:
Posted by RobInRockCity, 02-18-2015, 11:49 AM I think your response is "good" news for a very frustrated newbie, but let me repeat to make sure I understand you... When I went into Terminal on my MacBook and I typed this... After some processing, Terminal displayed this... So, what does the above "fingerprint" really tell me and others? And who would want to use Rob's "fingerprint"? Does my VPS somehow use "my" Fingerprint? ----- Okay, now a recap of what I did on my VPS last night... After creating the Public/Private key pair on my MacBook, I logged into cPanel on my VPS, and clicked on "SSH Shell Access". From there I clicked on "Manage SSH Keys", and then "Import Keys". This displayed a web-form where you could paste in either a Private or Public Key. In my case, I obviously needed to "import" the Public Key from my MacBook, so I did this... On my MacBook, I opened up "id_rsa.pub" - using TextWrangler - and copied all of the contents. Next I pasted them into the Public Key field in the Form in cPanel - making sure there were no extra spaces or carriage returns - and then I saved things (i.e. "Import Key"). After doing that, I opened another instance of cPanel, and in File Manager under my VPS's .ssh folder, I saw "id_rsa.pub" - which is what I would expect. So far, so good! BTW, is it okay that the newly installed Public Key on my VPS ends with... Does that serve any real purpose?? From there, in my other instance of cPanel, I went to the "Manage SSH Keys" window. Now I saw a new button that said "Authorize Keys". When I clicked on it, something unexpected happened... In my other instance of cPanel in File Manager, cPanel created not one, but two files: I opened each one, copied and pasted them in OpenOffice Calc, and did a comparison. The contents of each matched. So why did cPanel create two files with identical content?? Anyways, from there, I assumed that I had properly installed my Public Key on my VPS, and of course my MacBook has the Private Key on it in my .ssh folder. So next I went in to CyberDuck thinking I could now safely log into my VPS over SSH by using my new key-pair instead of a password. In CyberDuck, I entered the IP for my VPS, the Username that my web host gave me, but I did NOT enter my cPanel Password for obvious reasons!! Next, I checked "Use Public Key Authentication", and a file management window popped open, and at the top it said "Select the private key in PEM or PuTTY format" So I chose the Private Key (i.e. "id_rsa") located in my .ssh folder on my MacBook, and clicked "Choose". Then I clicked on "Connect". When I did this, I got the following pop-up window in CyberDuck... If I clicked on "Allow" twice, then I got another popup window saying "Private Key password protected" and it asked me to enter my Passphrase. After entering my Private Key Passphrase and hitting "Enter", I was magically taken to the Web Root of my VPS!! So, if I understood what you were saying above, the 2nd "Fingerprint" is from my VPS, correct? And you are saying that the idea is that I need to find out from my web host what the "Fingerprint" is for my VPS, and then compare that against the 2nd "Fingerprint" that was displayed when I was entering my Passphrase, correct?? So, if the 2nd Fingerprint matches what my web host is saying is my VPS's Fingerprint, then that means I am successfully logging into my true server, right?? Whew! Okay, I'll shut up and hope you can respond and help me get all of this sorted out... Thanks! Rob
Posted by Website themes, 02-18-2015, 12:45 PM Think of a fingerprint as a human friendly summary of a public key to make it easier for us to differentiate between different public keys. It's usually used to identify servers. It's a comment for human beings' benefit. See you can have multiple public keys in an authorized_keys file one on each line. Say for different people or the same person logging in from different devices. The comment makes it easy to identify which key is which. The authorized_keys file(s) contains the public keys of people who are allowed to login via SSH onto a server. Why two files? Because depending on server configuration it will use one of those so cpanel creates both just in case. If you read my manual public key installation instructions in the other thread you will see I told you to create an authorized_keys file just like cpanel has. id_rsa.pub contains the public key of the local user on the server i.e. if you were to login to the server and generate a key pair there it would be saved, by default, in ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key) where the tilde symbol (~) = home directory. This is similar to how it was when you generated a key pair on your home/office PC. Now why did cpanel create an id_rsa.pub file? I don't know. When you uploaded your public key it should have gone in authorized_keys from the very start instead of id_rsa.pub. Doesn't matter though. Yes to questions 1 - 3. Last edited by Website themes; 02-18-2015 at 12:54 PM.
Posted by Website themes, 02-18-2015, 01:03 PM Don't confuse fingerprints with comments. Comments can be edited and you can put anything you like as a comment. OTOH a fingerprint is unique to a key pair and is generated deterministically. A fingerprint cannot be changed.
Posted by RobInRockCity, 02-18-2015, 01:56 PM So what is the purpose of the Fingerprint that was created when I ran ssh-keygen on my MacBook? It sounds like that 1st Fingerprint serves no useful purpose, right? (About the only reason I can think that ssh-keygen created it, is IF my MacBook was the "server" and someone connecting to my MacBook needed to check against it..) So "rob@robs-MacBook-Pro.local" is just a comment, and in no way is used to create the Public Key or the Fingerprint, correct? I assume the line item in "authorized_keys" needs to match up exactly with the contents of the Public Key, right? Yes, I read that after the fact. So you are saying that technically I don't need the "id_rsa.pub" file on my VPS? I thought for the whole "puzzle" thing to work, you needed an "id_rsa" (Private Key) file on your local computer and an "id_rsa.pub" (Public Key) file on the Server? When ssh-keygen runs, how exactly does it create the Private Key? And the Public Key? Are those two keys composed of computer specific details? And could you reverse-engineer a Private or Public Key and find out things like the hardware I am using or the computer's owner's name or my IP or some other sensitive details?? And on a related topic... What makes up the Fingerprint on my VPS? And will the Fingerprint on my VPS ever change? For example, if I regenerate my Private/Public Keys - which I need to because I chose a lame Passphrase - then would I need to get a new Fingerprint from my ISP? Sorry for all of the questions, but all of this stuff was nowhere to be found when I was reading tutorials online yesterday. This is complicated stuff to me!!! What an education!! Thanks, Rob
Posted by Website themes, 02-19-2015, 01:39 AM Exactly. ssh-keygen is used to create host keys (key pairs) for servers as well. The fingerprint is a hash of the public key. Read up on hash functions. So it's trivial to output a fingerprint and it is done for every key pair. Already answered this above. Please pay attention! It already matches your public key or you wouldn't have been able to log in! Nope As I wrote above the public keys of people who are allowed to log in via SSH is installed in a file named authorized_keys on the server you are trying to log in to. Not id_rsa.pub but authorized_keys. Ah that is cryptography. You will have to speak to a cryptologist to understand how keys are generated. They are random. They don't contain info about your computer. The public key is derived from the private key. The reverse is not possible. This is called asymetric cryptography and you should read about it: http://en.wikipedia.org/wiki/Public-key_cryptography Fingerprint = Hash of public key as mentioned above. VPS fingerprint = Hash of the server's public key not yours! No it won't change if you change your personal key pair. Your key pair's fingerprint would change, though. Last edited by Website themes; 02-19-2015 at 01:43 AM.
Posted by RobInRockCity, 02-19-2015, 11:34 AM Thanks for the detailed explanations!! I guess cPanel creates an "id_rsa.pub" file - plus two "authorized_keys" files - when I "import" my Public Key from the web form, but those two things really serve no extra purpose. All that is needed is that my VPS has a file called "authorized_keys" which contains a row that lists my Public Key, right? You lost me here... First of all, when I run ssh-keygen, Terminal displays a "Personal Fingerprint" for the Public Key I just generated, right? And when I log in using CyberDuck, a 2nd Fingerprint is displayed which represents the "VPS Fingerprint", right? Well, where does that 2nd Fingerprint come from? I was under the impression that when I uploaded the Public Key - that I generated on my MacBook - that the VPS created a Fingerprint based on my personal key. It sounds like you are saying that the 2nd Fingerprint is somehow tied to my VPS, but is independent of anything I do with the Public Key I generated? Are you saying my VPS has something like a "Root Public Key"? Or is the "VPS Fingerprint" created from something else? Regardless, I guess the goal is for me to contact my web host, get my VPS' Fingerprint, and then compare that to the one that CyberDuck sees when it tries to connect. If the two "VPS Fingerprints" match, then I can assume that I am actually logging in to my VPS and not some rogue one, correct? Sincerely, Rob
Posted by Website themes, 02-20-2015, 03:04 PM Yes that's exactly what I mean. The VPS has it's own key pair containing a private key and a public key just like you. It is installed in /etc/ssh/ on the VPS. The fingerprint you see is the hash of the public key from that key pair. It wouldn't be so hard for you to understand if you read what I wrote before:
Add to Favourites 
Print this Article
