February 26, 2017
SSH SHA-256 fingerprint is not human readable
I'm not sure when this was changed, but now ssh server key fingerprint is human unreadable. Why is this a serious problem? SSH works like any other public key crypto: to execute key exchange one needs to verify other party's public key. If one doesn't do that, no crypto as man-in-the-middle attack could be executed to catch password. The common use-case makes this attack even more probable: even though people frequently uses key auth, the first login after remote VM setup usually takes place using password. So it's very important to verify server's identity which is done usually using server key fingerprint human comparison like here:
hash trash because it's not easy readable and for sure not so easily memorable as hex format.
Compare that with SHA-1 fingerprint (actually connecting to the same SSH server):
$ ssh ... The authenticity of host '... (...)' can't be established. RSA key fingerprint is SHA256:qSj/We80nmhTc8Pc4XPazxlpGrnv95EZNXSZB1YsGl0.Looks like
Compare that with SHA-1 fingerprint (actually connecting to the same SSH server):
The authenticity of host '...' can't be established. RSA key fingerprint is 77:5f:3b:1f:84:eb:d2:0c:ca:bd:b3:5d:f7:3c:c3:6f
Grouped hex digits, no trash.
Maybe I'm wrong, but it looks for me that ssh maintainers in this case are blindly following a modern fashion to use sha256 instead of considering which UX leads to less human errors.
I'm not sure if that's somehow connected to using ECDSA keys or not. Anyway this change to sha256 increases human mistakes in using crypto tools like SSH which is very bad.
