If you've ever used SSH before, you will have noticed the warning "The authenticity of the host can't be established" warning. This happens the first time you try to connect to any server. Though it is tempting to just ignore this warning and press y, we encourage you to instead check the SSH fingerprint to make sure it matches. We'll explain why below.

Why the SSH fingerprint check is important

SSH connections are at their most vulnerable the first time you connect to a server. After to you connect to a server for the first time, the SSH client logs its fingerprint. If that fingerprint then changes, i.e. somebody tries to trick you into connecting to a malicious server, your SSH client will warn you that the fingerprint has changed.

How to fix “Warning: remote host identification has changed”
Perhaps the most common error during SSH use is “Warning: remote host identification has changed”. Here’s how it happens and how to fix it.

When you connect to a VPS server for the first time, your client has not been able to log its fingerprint and verify that it is correct. Therefore, an attacker can successfully perform a man-in-the-middle attack. The only way to make sure that you're connecting to the correct server from the very beginning is to check your SSH key fingerprint manually.

How to check your SSH key fingerprint

Before you can check your fingerprint, you need to know the algorithm used for it. This should be revealed by the about of your message. Here's an example from a BitLaunch server:

The authenticity of host '172.86.75.163 (172.86.75.163)' can't be established.ED25519 key fingerprint is SHA256:NTw36MQjDxsHlxC/Xso5yKMlKJu93uYknRx2LEaqk7I.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])?

You can see that our key uses the ED25519 algorithm, and hashes using SHA256. You should make a note of this, as well as the fingerprint itself, in this case NTw36MQjDxsHlxC/Xso5yKMlKJu93uYknRx2LEaqk7I.

Your key algorithm could also be ECDSA, RSA, and DSA, and your hashing algorithm may be MD5 rather than SHA.

Verifying the fingerprint on the server

To verify your fingerprint, log in to your VPS server through a trusted method (for example, the console in your BitLaunch control panel) and run the ssh-keygen command to get a readout of your key fingerprint:

ED25519:

  • SHA256: ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
  • MD5: ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ed25519_key.pub

ECDSA:

  • SHA256: ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
  • MD5: ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ecdsa_key.pub

RSA:

  • SHA256: ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
  • MD5: ssh-keygen -E md5 /etc/ssh/ssh_host_rsa_key.pub

DSA:

  • SHA256: ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
  • MD5: ssh-keygen -E md5 /etc/ssh/ssh_host_dsa_key.pub

Your output should look something like this:

256 SHA256:NTw36MQjDxsHlxC/Xso5yKMlKJu93uYknRx2LEaqk7I root@6311ad8b487e6f00018c5cd1 (ED25519)

If the output does not match the fingerprint you noted down earlier, do not connect to the server.

Don't have a VPS server yet? Sign up to BitLaunch and talk to support for some free credit.