Hi, after all it seems that I have to answer my question myself. The question was
> Has anybody a hint how x2go creates the presented fingerprint and how I could > do that myself in advance on the > server-side to be able to check later if I'm connected to the correct host? and why does x2go present this fingerprint to me to compare it to the fingerprint originally created on the server side: > > > Hash des öffentlichen Schlüssels: remote.server.com:22 - > > > d7:2e:e0:ae:27:7a:e5:33:59:6d:00:12:75:22:0a:c6:9a:10:31:a9 I've now been looking around in the X2go source code in this file https://code.x2go.org/gitweb?p=x2goclient.git;a=blob;f=src/sshmasterconnection.cpp; around line 929 where it's calling "ssh_get_publickey_hash (srv_pubkey, SSH_PUBLICKEY_HASH_SHA1, &hash, &hlen)" if a libssh version >= 0.6.0 is used. This is true in my case and the hash is then transformed into a string with ssh_get_hexa(). So the output is be a hexadecimal encoded SHA1 hash, which has indeed a length of 160 Bits that matches the 20 hexadecimal bytes shown in the quote for remote.server.com. Now the challenge is to prepare such a SHA1 hash in hexadecimal encoding to be created on the server side to take it away to the home office to be able to check the server's identity when X2go connects to the remote server. The internet comes to help with this. Googling around I found this nice page that explains how to calculate a hash sum from the known public key. This nice page is there: https://www.lastbreach.com/blog/ssh-public-key-verification-with-fingerprinthash The guy simply uses awk to extract the base64 encoded binary data of the public key from the key file, create the hash from the data and then print it again base64 encoded like "ssh-keygen -l -E sha256 -f keyfile" would do: > $ awk '{print $2}' /etc/ssh/ssh_host_ecdsa_key.pub | base64 -d | sha256sum -b > | sed 's/ .*$//' | xxd -r -p | base64 To make the output the same that x2go presents we can basically do (I replaced awk and sed by cut): > $ cut -d " " -f 2 /etc/ssh/ssh_host_ecdsa_key.pub | base64 -d | sha1sum -b | > cut -d " " -f 1 | xxd -r -p | hexdump -v -e '1/1 "%02x" ":"' For convenience I created a small shell script and attach it to this e-mail that does the operation on the input file. Best regards, Stefan > Gesendet: Dienstag, 17. November 2020 um 01:02 Uhr > Von: "Stefan Mätje" <stefan.mae...@gmx.de> > An: "Ulrich Sibiller" <ul...@gmx.de> > Cc: "x2go users" <x2go-user@lists.x2go.org> > Betreff: Aw: Re: [X2Go-User] What is the hash algorithm / format used for the > host key hash during connection instantiation? > > Hi, > > I have inspected the ~/.x2go/ssh directories on both the client and the > server machine. They both are empty. > > But I found the following behavior. If I remove the line for the remote host > from the ~/.ssh/known_hosts file > on my client machine then x2go presents the question about "trust the host > key" as already depicted below. > If I approve it then again in the known_hosts file I can find the public key > of the host which is identical > to /etc/ssh/ssh_host_ecdsa_key.pub of the host. On the next connect I don't > get a "trust the host key" question. > > This is also the behavior I would expect if I directly log on into the server > using ssh. If my known_hosts file > is empty the ssh client presents a fingerprint of the public identity key of > the host either as md5 or sha256 > fingerprint. These are the fingerprints as already mentioned: > > > > ssh_host_ecdsa_key.pub: > > > 256 SHA256:3vf9PbLKhlaFpff7SxpaDLyrfYJF8iJ+Px3bMzLNY2U > > > r...@internal.server.com (ECDSA) > > > 256 MD5:7b:9a:76:4b:58:ce:87:bf:3f:56:41:a9:7c:f8:bf:e9 > > > r...@internal.server.com (ECDSA) > > So I guess x2go should also present a fingerprint of the public identity key > of the host on the first connection. > But as it is now it is of no use because I can't prepare the fingerprint on > the server-side in advance and take > it with me as long as I don't know how x2go generates this fingerprint (and I > can do it the same way too). > > Has anybody a hint how x2go creates the presented fingerprint and how I could > do that myself in advance on the > server-side to be able to check later if I'm connected to the correct host? > > Best regards, > Stefan > > > > Gesendet: Sonntag, 15. November 2020 um 18:09 Uhr > > Von: "Ulrich Sibiller" <ul...@gmx.de> > > An: "Stefan Mätje" <stefan.mae...@gmx.de> > > Cc: "x2go users" <x2go-user@lists.x2go.org> > > Betreff: Re: [X2Go-User] What is the hash algorithm / format used for the > > host key hash during connection instantiation? > > > > I never looked into how x2go handles ssh keys. However, x2go generates > > individual keys during session startup. Maybe you are seeing one of > > those? > > > > On my system there are some keys in ~/.x2go/ssh > > > > Uli > > > > On Sun, Nov 15, 2020 at 5:57 PM Stefan Mätje <stefan.mae...@gmx.de> wrote: > > > > > > Hi, > > > > > > I'm using x2go to connect from a Linux Mint (19) machine to an Ubuntu > > > server > > > using a RSA key over SSH. > > > > > > During the connection instantiation x2go presents me the following > > > question: > > > > > > Der Server ist unbekannt. Vertrauen Sie diesem Host-Key? > > > Hash des öffentlichen Schlüssels: remote.server.com:22 - > > > d7:2e:e0:ae:27:7a:e5:33:59:6d:00:12:75:22:0a:c6:9a:10:31:a9 > > > > > > I. e. "The server is unkown. Do you trust this host key?" I now have > > > problems to match the presented fingerprint > > > hash to the host identity keys that are present on the server machine > > > under /etc/ssh/ssh_host_*key*. > > > > > > When I later inspect the .ssh/known_hosts file on my Linux Mint machine > > > (client side) I can match the public > > > key there to the public host identity key on the server side that has the > > > following fingerprints > > > (displayed with 'ssh-keygen -l -E {md5|sha256} -f ssh_host_ecdsa_key'): > > > > > > ssh_host_ecdsa_key.pub: > > > 256 SHA256:3vf9PbLKhlaFpff7SxpaDLyrfYJF8iJ+Px3bMzLNY2U > > > r...@internal.server.com (ECDSA) > > > 256 MD5:7b:9a:76:4b:58:ce:87:bf:3f:56:41:a9:7c:f8:bf:e9 > > > r...@internal.server.com (ECDSA) > > > > > > Neither of these fingerprints can be matched to the fingerprint / hash > > > that x2go presents to me. The MD5 > > > hash line is similar but shorter (only 16 hash bytes aka. 128 bits that > > > matches a MD5 sum length). The > > > x2go hash has 20 bytes (160 bits) hash length. > > > > > > The question is how can I reliably match the fingerprint x2go presents to > > > me to the right host ID hash. > > > Am I comparing / expecting the wrong keys? > > > > > > Can somebody please shed some light on this issue. > > > > > > Best regards, > > > Stefan >
ssh-fprint-x2go.sh
Description: Unix shell archive
_______________________________________________ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
