Contributed by johan on from the artsy dept.
Alexander von Gernler (grunk@) has committed support for SSH fingerprint visualization. This is a technique to make it possible for users to remember SSH fingerprints more easily. Instead of just looking at the ssh fingerprint in clear text you can now get a graphical pattern where your key is represented by a worm inside a field, the worm will look slightly different depending on the fingerprint.
Update (Thu Jun 26 2008, 16:42:30 CET): Some changes has been made since this article was written. Instead of having to specify "CheckHostIP fingerprint" to turn on visualization, you now have to use "VisualHostKey yes". "CheckHostIP fingerprint" won't work anymore, and has returned to be a normal bool yes/no option.
Please read on for Alexander's blog...
In December 2006, I attended a talk by Dan Kaminsky  , a security expert well known for his creative approaches towards problems and for his extremely entertaining style of presentation. His talk dealt a lot with visualization of problems from different areas, and was fun to watch, as always. Dan managed to tie together some loose ends in my head about various topics, and also managed to draw my attention to the problem of SSH and the hex fingerprints. As many of you know, a fingerprint may be as secure as it can be, but the security of the system stands and falls with the user. So if people don't verify fingerprints because it is too complicated and annoying for them, we have to catch them where they can't escape: Actually, the human brain is the most powerful pattern recognition system ever known, so why not make use of it, and show a little image to the users every time they log in. If the image is the same all the time, then everything feels normal. And if not, it starts feeling fishy immediately. One of the problems I had to solve was the output format. As you all know we're operating on text terminals most of the time, and high-resolution graphics are not available always. However, the schemes available all tried to do some random graphical output that aimed to be characteristic and easy to remember. So there I was with my constraints: The output had to be 7-bit clean ASCII text, with no colors, no scrolling, no animation, no nothing. I then designed a very simple algorithm that nevertheless takes all the bits of a hex fingerprint into account. I am still doing research towards the question of how easy it is to forge these pictures. (If you're at a University and doing Theoretical Computer Science, Graph Theory or Cryptography and have any remarks to make, I'll be glad to hear from you :) Now perhaps you'll be curious and want to play around with the new feature. Just do the following steps: 1. (Of course) compile a -current ssh 2. Insert the option CheckHostIP fingerprint to your ~/.ssh/config file. Now you will get the ASCII art displayed on every login. 3. If you want to know what your known hosts "look" like, type in ssh-keygen -lv -f ~/.ssh/known_hosts | less and learn! There's a canadian anoncvs mirror that looks like a cat, for example ;)
(Comments are closed)