Help Desk
Division of Information Technology Home
 

SSH/SFTP Fingerprints for DoIT Supported Hosts

SSH (Secure Shell) and SFTP (Secure File Transfer Protocol) are secure replacements  for telnet and ftp.  Like telnet and ftp, they are used to connect to a remote host computer (often referred to as a server).  The advantages of SSH and SFTP over telnet and ftp are:

  1. All information transmitted between your computer and the host is encrypted.  This protects your password during login as well as information transmitted after logging in.
  2. You can use the "fingerprints" published in this document to verify that your connection to apollo.sfsu.edu, libra.sfsu.edu, online.sfsu.edu, or www.sfsu.edu has not been compromised.

SSH/SFTP Fingerprints for DOIT Supported Hosts

Every SSH/SFTP host has at least one unique "key" used to encrypt your connection, and each key has a unique "fingerprint". The fingerprint can be displayed as a series of hexadecimal numbers separated by colons,or as a series of "words" separated by hyphens.  The first time you connect to a host using SSH or SFTP you will be shown the fingerprint for one of the host's keys and asked whether or not to continue with the connection.  The fingerprints for apollo.sfsu.edu, libra.sfsu.edu, online.sfsu.edu, and www.sfsu.edu are given below. If the fingerprint displayed when you connect is the same as one of the fingerprints below you can safely complete the connection. If they don't match see What does it mean if the Fingerprints Don't Match? Once you complete the connection the host name and key are stored on your computer and, unless the key on the host changes, you should not be shown a fingerprint for that host again.

Fingerprints for DOIT supported hosts shown in hexadecimal and text format:

7b:b5:e1:08:ee:db:cf:85:cc:7c:66:fe:73:5d:cb:13
xesak-nihov-tybug-gutos-tisep-senel-gyvul-bonoc-pagin-zeduf-gixox

57:fe:4b:78:94:1e:8c:3d:28:ce:67:40:85:fe:24:85
xehad-ryzor-muvuz-kykig-dypeg-vavyz-runuz-dukig-ruvyl-kimyv-gaxax

TOP OF PAGE

What does it mean if the Fingerprints Don't Match?

If the fingerprints don't match, it doesn't necessarily mean your connection has been compromised.  There are two possible causes:

  1. First, your computer is under a "man-in-the-middle" attack. If it is, a computer has captured your connection and the information transmitted between your computer and the remote host is being routed through it.  Man-in-the-middle attacks can be used to find out your account name and password, or to view and record the information passing between your computer and the remote host.
  2. Second, the published fingerprint, or your copy of the published fingerprint, is incorrect.  When a host's key is replaced the host's fingerprint changes, so make certain you have the most recent published fingerprint for the host.  Even if the fingerprint still doesn't match the most recently published fingerprint, the key might have been replaced and the published fingerprint hasn't been updated to match the new key yet.

If you use SSH or SFTP to connect to one of the our supported hosts and are shown a fingerprint different than those listed above, do NOT complete the connection!  Call 415-338-1420 and ask for the Consultant On Duty or fill out a Help Desk Service Request.  The mistake might be with our published fingerprint, but you may be the victim of a "man-in-the-middle" attack.

What if the fingerprints matched originally but now they don't?

If your SSH or SFTP client sees that the key saved from a previous connection has changed, you will get a message similar to the one below:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is 57:fe:4b:78:94:1e:8c:3d:28:ce:67:40:85:fe:24:85.
Please contact your system administrator.
Add correct host key in /Users/janedoe/.ssh/known_hosts to get rid of this message.
Offending key in /Users/janedoe/.ssh/known_hosts:1
RSA host key for libra.sfsu.edu has changed and you have requested strict checking.
Host key verification failed.

This either means that the host has a new key and the fingerprint has changed, or that you are the victim of a man-in-the-middle attack. Check back to this document and refresh your browser to see the most recent fingerprints for our hosts. If the fingerprint shown in your connection matches one of the published fingerprints you can safely accept the connection. If the fingerprints don't match do NOT complete the connection. Call 415-338-1420 and ask for the Consultant On Duty or fill out a Help Desk Service Request. As with an initial connection our published fingerprint might be out of date, but you might be the victim of a "man-in-the-middle" exploit.

Assuming the key has changed and the new fingerprint matches the most recent published fingerprint, you will want to accept the connection. How this is handled varies with different clients. For example, the sample warning above is from the SSH client built into Mac OS X and it does not give the option to accept the connection. See the instructions describing what to do for the specific DOIT supported SSH/SFTP client you receive the warning in.

TOP OF PAGE

HOME
Site Home | What We Do | Help Desk | Account Services | Software | Hardware | Network
Telephone Services | Training | Computer Labs | Web Publishing | Policies | Sitemap | Contact Us

San Francisco State University

Last Modified: 17 Dec 2008
doit@sfsu.edu