Verifying host keys

Calling the system administrator and verifying the host key over the phone is a simple solution to making sure the host key is correct and that the client is not vulnerable to a man-in-the-middle attack. However, in many situations this is not a practical solution. There may be too many servers. There may be too many clients. Or, the administrator may not be available when the user first connects.

There are a number of other methods that can be used to distribute host keys or fingerprints:

An ISP or network administrator might distribute host key fingerprints on a secure web page that all customers or users have access to.
The host key fingerprint can be sent by e-mail to end users so they have it readily available to compare to the fingerprint displayed in the challenge message.
For enterprises that already use a system such as SMS to push files out to client systems, host keys could also be distributed through this system.
Organizations using Kerberos could take advantage of Secure Shell's GSSAPI key exchange which doesn't require hosts keys and instead leverages Kerberos host verification.

Recently, an IETF draft has been released that specifies a method of checking host key fingerprints using secure DNS (DNSSEC). Secure Shell solutions implementing this new mechanism are not yet widely available.

<< Known hosts

Backup your host keys >>

All trademarks or registered trademarks are the property of their respective owners.