help verifying host key

4 replies [Last post]
jeremy.b
Offline
Joined: 02/13/2022

In a prior post
https://trisquel.info/en/forum/major-security-compromise

the command

cat /etc/ssh/ssh_host_ecdsa_key.pub | awk '{ print $2 }' | base64 -d | sha256sum | awk '{ print $1 }' | xxd -r -p | base64

no longer works for me,

could someone test it and confirm what I am seeing?

Geshmy
Offline
Joined: 04/23/2015

I am ignorant as to what you are trying to do and probably can't be much help but at least I ran the command for you. Is this what you got?

$ cat /etc/ssh/ssh_host_ecdsa_key.pub | awk '{ print $2 }' | base64 -d | sha256sum | awk '{ print $1 }' | xxd -r -p | base64
cat: /etc/ssh/ssh_host_ecdsa_key.pub: No such file or directory
47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
I think 'cat' says, that what I am looking for is not there: "No such file or directory" and sha256sum agrees: "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" about which https://www.rfc-editor.org/errata/rfc487 says "The sha1 value (in base64) for an empty body (canonicalized to a null input) is "2jmj7l5rSw0yVb/vlWAYkK/YBwk=".
'The sha256 value is "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=".

I found "https://www.ibm.com/docs/en/zos/2.3.0?topic=susd-steps-setting-up-server-authentication-when-keys-are-stored-in-unix-files" to create what I am looking for if I need it. But I am not using sshd. Hopefully you can get an educated response from someone so I can learn something :)

Geshmy
Offline
Joined: 04/23/2015

I am using Nabia and have the Trisquel_11 testing iso downloaded. Looking at the earlier post you mentioned:

$ sha256sum -c trisquel_11.0_amd64.iso.sha256 trisquel_11.0_amd64.iso
trisquel_11.0_amd64.iso: OK
sha256sum: trisquel_11.0_amd64.iso: no properly formatted SHA256 checksum lines found

also

$ sha256sum trisquel_11.0_amd64.iso && cat trisquel_11.0_amd64.iso.sha256
a20e38854260b9f9ed326d767541d190856d871414e78d6fc0536e94c34c3188 trisquel_11.0_amd64.iso
a20e38854260b9f9ed326d767541d190856d871414e78d6fc0536e94c34c3188 trisquel_11.0_amd64.iso

I assume "no properly formatted SHA256 checksum lines found" is nothing to worry about.

liberpoolesque
Offline
Joined: 01/07/2020

I am not sure what you are trying to do. For questions like these, it would be helpful to add to your post:
1. What you want to do.
2. What is going wrong. (including error messages and such)

Are you just trying to compute the fingerprint of a key? Then you can just do that with ssh-keygen, like this:

ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

That will print the fingerprint, along with some other information.
In fact, it returns the same fingerprint as the pipe chain in your post, at least when I tested it.

Geshmy
Offline
Joined: 04/23/2015

liberpoolesque, Clarity is a good thing:)

"I am not sure what you are trying to do. For questions like these, it would be helpful to add to your post:
1. What you want to do.
2. What is going wrong. (including error messages and such)"

Good points.

I was hoping to get jeremy.b to add details to his original post.

Re 'I assume "no properly formatted SHA256 checksum lines found" is nothing to worry about,' I think this is better:

$ sha256sum -c trisquel_11.0_amd64.iso.sha256
trisquel_11.0_amd64.iso: OK