I'm confused, so I'd like to re-phrase my question (below) a bit...
Assume I start up a dropbear server on a machine (ignore my embedded case).
I do that with the following commands...
dropbearkey -t dss -f dropbear_dss_host_key
dropbearkey -t rsa -f dropbear_rsa_host_key
dropbear -F -r dropbear_rsa_host_key -d dropbear_dss_host_key
Now I attempt to connect to this server using ssh and I get the message:
The authenticity of host '135.222.138.20 (135.222.138.20)' can't be
established.
RSA key fingerprint is c5:36:7f:8c:c8:d6:d6:0c:53:45:61:76:f6:d0:91:4e.
Are you sure you want to continue connecting (yes/no)?
Assume I want to be anal and want to verify that I'm *really* connecting
to my server.
If I have access to the console of the machine running the server, then
how do I verify
that the fingerprint given to me by the client is in fact from the
server that I assume I
am connected to?
I *thought* I could use "dropbearkey -y dropbear_rsa_host_key" on the
server,
and it would give me that same fingerprint as is presented at the client
in the
warning message, but that gives me a different fingerprint.
What am I doing wrong here or why am I confused?
Ed
Hi,
I now have the dropbearkey code integrated into my embedded stuff.
I assume the idea is to call this function each time the server starts
up.
Then each time the server starts, future client connections will
reject the
server connection until $HOME/.ssh/known_hosts is purged of that server's
key information.
Correct so far?
Assuming yes...
Then, the user of the client has to accept the new credentials based on
the RSA key fingerprint from the server. So, shouldn't the message that
comes out of the client reflect the same fingerprint as that which was
printed when the key was created on the server?
(mine doesn't)
Ed
