SSH Fingerprint Warning: Impersonation Risk

G5 Cyber Security

1 week ago

TL;DR

Yes, ignoring an SSH fingerprint warning significantly increases the risk of a man-in-the-middle attack where someone could impersonate your server. Don’t ignore these warnings unless you are absolutely certain about the server’s identity and have verified it through another secure channel.

What is an SSH Fingerprint?

When you connect to an SSH server for the first time, your computer asks the server for its ‘fingerprint’. This fingerprint is like a unique ID. Your computer stores this fingerprint. On subsequent connections, it checks if the server’s fingerprint matches what it has stored.

Why the Warning?

If the fingerprints don’t match, your SSH client shows a warning. This means one of two things:

The server’s key has changed (e.g., reinstalled OS, new server).
Someone is trying to trick you into connecting to a fake server.

How Impersonation Works

An attacker can set up a rogue SSH server with their own key. When you try to connect, they’ll present their fingerprint. If you ignore the warning and proceed, your connection will be established with the attacker’s server instead of the real one.

Steps to Protect Yourself

Verify the Fingerprint Out-of-Band: This is the most important step. Don’t rely on information from the SSH connection itself!

Contact the server administrator directly (via phone, secure messaging app, or a trusted channel) and ask for the correct fingerprint.
If you have access to the server console, check the fingerprint yourself:
```
ssh-keygen -lf /etc/ssh/ssh_host_*key
```

Check Known Hosts File: Your SSH client stores fingerprints in a ‘known hosts’ file. You can view it to see if the current fingerprint is different from what you expect.

On Linux/macOS, this file is usually located at ~/.ssh/known_hosts
Use a text editor to inspect the file and compare the fingerprints.

Remove Old Entries (Carefully): If you’re sure the server key has legitimately changed, remove the old entry from your known hosts file.

ssh-keygen -R hostname

Replace hostname with the actual hostname or IP address of the server.

Use Strong Authentication: Password authentication is less secure than key-based authentication. Consider disabling password authentication on your SSH server.

Be Wary of Public Wi-Fi: Avoid connecting to sensitive servers over untrusted networks like public Wi-Fi without a VPN.

What Happens if You Ignore the Warning?

If you ignore the warning and connect, the attacker can:

Steal your credentials (username and password).
Access sensitive data on the server.
Compromise your entire system.

In Summary

Treat SSH fingerprint warnings seriously. Always verify the fingerprint before proceeding, especially if you’re connecting to a critical server. Ignoring these warnings is a major cyber security risk.