[X2Go-User] What is the hash algorithm / format used for the host key hash during connection instantiation?

Tue Nov 17 01:02:38 CET 2020

Hi,

I have inspected the ~/.x2go/ssh directories on both the client and the server machine. They both are empty.

But I found the following behavior. If I remove the line for the remote host from the ~/.ssh/known_hosts file
on my client machine then x2go presents the question about "trust the host key" as already depicted below.
If I approve it then again in the known_hosts file I can find the public key of the host which is identical
to /etc/ssh/ssh_host_ecdsa_key.pub of the host. On the next connect I don't get a "trust the host key" question.

This is also the behavior I would expect if I directly log on into the server using ssh. If my known_hosts file
is empty the ssh client presents a fingerprint of the public identity key of the host either as md5 or sha256
fingerprint. These are the fingerprints as already mentioned:

> > ssh_host_ecdsa_key.pub:
> > 256 SHA256:3vf9PbLKhlaFpff7SxpaDLyrfYJF8iJ+Px3bMzLNY2U root at internal.server.com (ECDSA)
> > 256 MD5:7b:9a:76:4b:58:ce:87:bf:3f:56:41:a9:7c:f8:bf:e9 root at internal.server.com (ECDSA)

So I guess x2go should also present a fingerprint of the public identity key of the host on the first connection.
But as it is now it is of no use because I can't prepare the fingerprint on the server-side in advance and take
it with me as long as I don't know how x2go generates this fingerprint (and I can do it the same way too).

Has anybody a hint how x2go creates the presented fingerprint and how I could do that myself in advance on the
server-side to be able to check later if I'm connected to the correct host?

Best regards,
    Stefan

> Gesendet: Sonntag, 15. November 2020 um 18:09 Uhr
> Von: "Ulrich Sibiller" <uli42 at gmx.de>
> An: "Stefan Mätje" <stefan.maetje at gmx.de>
> Cc: "x2go users" <x2go-user at lists.x2go.org>
> Betreff: Re: [X2Go-User] What is the hash algorithm / format used for the host key hash during connection instantiation?
>
> I never looked into how x2go handles ssh keys. However, x2go generates
> individual keys during session startup. Maybe you are seeing one of
> those?
> 
> On my system there are some keys in ~/.x2go/ssh
> 
> Uli
> 
> On Sun, Nov 15, 2020 at 5:57 PM Stefan Mätje <stefan.maetje at gmx.de> wrote:
> >
> > Hi,
> >
> > I'm using x2go to connect from a Linux Mint (19) machine to an Ubuntu server
> > using a RSA key over SSH.
> >
> > During the connection instantiation x2go presents me the following question:
> >
> > Der Server ist unbekannt. Vertrauen Sie diesem Host-Key?
> > Hash des öffentlichen Schlüssels: remote.server.com:22 - d7:2e:e0:ae:27:7a:e5:33:59:6d:00:12:75:22:0a:c6:9a:10:31:a9
> >
> > I. e. "The server is unkown. Do you trust this host key?" I now have problems to match the presented fingerprint
> > hash to the host identity keys that are present on the server machine under /etc/ssh/ssh_host_*key*.
> >
> > When I later inspect the .ssh/known_hosts file on my Linux Mint machine (client side) I can match the public
> > key there to the public host identity key on the server side that has the following fingerprints
> > (displayed with 'ssh-keygen -l -E {md5|sha256} -f ssh_host_ecdsa_key'):
> >
> > ssh_host_ecdsa_key.pub:
> > 256 SHA256:3vf9PbLKhlaFpff7SxpaDLyrfYJF8iJ+Px3bMzLNY2U root at internal.server.com (ECDSA)
> > 256 MD5:7b:9a:76:4b:58:ce:87:bf:3f:56:41:a9:7c:f8:bf:e9 root at internal.server.com (ECDSA)
> >
> > Neither of these fingerprints can be matched to the fingerprint / hash that x2go presents to me. The MD5
> > hash line is similar but shorter (only 16 hash bytes aka. 128 bits that matches a MD5 sum length). The
> > x2go hash has 20 bytes (160 bits) hash length.
> >
> > The question is how can I reliably match the fingerprint x2go presents to me to the right host ID hash.
> > Am I comparing / expecting the wrong keys?
> >
> > Can somebody please shed some light on this issue.
> >
> > Best regards,
> >     Stefan