home of the madduck/ blog/
Visual SSH fingerprints

Recently, people have picked up on OpenSSH's new "feature": visual SSH fingerprints.

It hurts to see this "feature" in a software like OpenSSH, which is so integral to everything we do, because it's a waste. It's additional code, and thus an additional risk of bugs, and it has a net security benefit of zero, NULL, zilch, nada, nothing, nix, nadje, oomph!

The theory is that you learn to recognise the general shape of the visual fingerprints of your hosts, which is easier for us to remember than strings of hexadecimal numbers. So, for instance, if you ssh to pony.debian.net, you get to see something that's not entirely unlike a pony:

Host key fingerprint is 45:2f:a5:d8:13:95:ba:03:51:c4:8d:ac:82:a8:4c:6a
+--[ RSA 2048]----+
|         ==+o.   |
|        .++=o    |
|   . .  .o*..    |
| .. . . o..o     |
|+.     .S. .     |
|oE        o      |
|.          .     |
|                 |
|                 |

Rejoice! Because now, should pony.debian.net ever present a new SSH fingerprint, when OpenSSH screams at you:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

then you can look at the picture and say: "yeah, I knew that", because your pony has suddenly transformed into the visual representation of a giant fart.

On the other hand, the new "feature" makes day-to-day interactions a lot easier. Imagine you need to ssh into a new host. You take a piece of paper and call up the admin to ask for the fingerprint, but instead of a series of hexadecimal digits, he says "it looks like the easter bunny and a bit like southern Italy".

Great "feature". Thanks. I would appreciate if this sort of crap stayed out of important software. Dan Kaminsky might have some good ideas, but most of the time he's on crack. Get a grip. Stop being a fanboy.

NP: Kinski: Alpine Static