SSH Fingerprint Spoofing: How it Works & Prevention

TL;DR

Yes, an SSH server fingerprint can be spoofed, allowing a malicious actor to intercept your connection. This is usually done through a Man-in-the-Middle (MitM) attack. However, there are several ways to protect yourself, including known_hosts file verification, strict host key checking, and using strong authentication methods.

How SSH Fingerprint Spoofing Works

When you connect to an SSH server for the first time, your client receives a cryptographic fingerprint (a hash) of the server’s public key. This fingerprint is stored in your known_hosts file. Subsequent connections verify that the server’s fingerprint hasn’t changed. If it has, you are warned about a potential attack.

Spoofing involves an attacker intercepting your connection and presenting their own public key’s fingerprint instead of the legitimate server’s. If you don’t check properly, your client will accept this fake fingerprint, allowing the attacker to decrypt and modify all communication between you and the server.

Steps to Prevent SSH Fingerprint Spoofing

1. Verify the Server’s Fingerprint Out-of-Band
   • The most important step! Don’t trust the fingerprint presented during your first connection.
   • Obtain the correct fingerprint through a separate, trusted channel. This could be:
     • Directly from the server administrator (e.g., phone call, secure website).
     • From a reputable source that publishes fingerprints for known servers.
   • Compare this fingerprint to the one shown by your SSH client during connection. Any mismatch means something is wrong.
2. Check Your known_hosts File

   Regularly review your known_hosts file for unexpected entries.

   • The file is typically located at ~/.ssh/known_hosts.
   • Use a text editor to inspect the contents. Look for unfamiliar hostnames or IP addresses.
   • You can remove suspicious entries using a text editor, or with the command:

     ssh-keygen -R hostname

3. Enable Strict Host Key Checking

   Configure your SSH client to strictly verify host keys. This is often enabled by default but it’s good to check.

   • Edit your ~/.ssh/config file (create it if it doesn’t exist).
   • Add or modify the following line:

     StrictHostKeyChecking ask

     This will prompt you to confirm new host keys and refuse connections if a key has changed. Consider using yes for automated environments, but only after verifying fingerprints out-of-band.

4. Use Strong Authentication Methods
   • Public Key Authentication: This is much more secure than password authentication.
   • Two-Factor Authentication (2FA): Adds an extra layer of security, even if your private key is compromised.
   • Disable Password Authentication: If possible, disable password authentication altogether to prevent brute-force attacks.

     PasswordAuthentication no

     (in /etc/ssh/sshd_config on the server)

5. Be Wary of Public Wi-Fi

   Avoid connecting to SSH servers over untrusted networks like public Wi-Fi. MitM attacks are easier to perform on these networks.

6. Consider Using SSH Certificates

   SSH certificates provide a more robust way to verify server identity and can help prevent spoofing attacks. They require more setup but offer stronger security.