Recently, people have picked up on OpenSSH’s new “feature”: visual SSH fingerprints.
It hurts to see this “feature” in a software like OpenSSH, which is so integral to everything we do, because it’s a waste. It’s additional code, and thus an additional risk of bugs, and it has a net security benefit of zero, NULL, zilch, nada, nothing, nix, nadje, oomph!
The theory is that you learn to recognise the general shape of
the visual fingerprints of your hosts, which is easier for us to
remember than strings of hexadecimal numbers. So, for instance, if
you ssh to pony.debian.net, you get to
see something that’s not entirely unlike a pony:
Host key fingerprint is 45:2f:a5:d8:13:95:ba:03:51:c4:8d:ac:82:a8:4c:6a
+--[ RSA 2048]----+
| ==+o. |
| .++=o |
| . . .o*.. |
| .. . . o..o |
|+. .S. . |
|oE o |
|. . |
| |
| |
+-----------------+
Rejoice! Because now, should pony.debian.net ever
present a new SSH fingerprint, when OpenSSH screams at you:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
then you can look at the picture and say: “yeah, I knew that”, because your pony has suddenly transformed into the visual representation of a giant fart.
On the other hand, the new “feature” makes day-to-day
interactions a lot easier. Imagine you need to ssh
into a new host. You take a piece of paper and call up the admin to
ask for the fingerprint, but instead of a series of hexadecimal
digits, he says “it looks like the easter bunny and a bit like
southern Italy”.
Great “feature”. Thanks. I would appreciate if this sort of crap stayed out of important software. Dan Kaminsky might have some good ideas, but most of the time he’s on crack. Get a grip. Stop being a fanboy.
NP: Kinski: Alpine Static
