Question

How to verify droplet's SSH public key fingerprint?

Before SSHing to a droplet for the first time, is there a way to verify the public key fingerprint? This question was asked last year, but there wasn’t any good way to do this back then. Any updates?

As the previous asker suggested, “Ideally it would be part of the response body when a new droplet is created or have its own API call”. The fingerprint could also be displayed in the web interface for each droplet.

Subscribe
Share

Power it off, firewall it and rebuild.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I found another solution for this: when creating the droplet, enable “User data” and put in a script which installs a web server and publishes the server’s SSH key fingerprint. You can verify the key hasn’t been modified in transit using an HMAC with a shared secret. Here’s an example script:

#!/bin/bash

# install web server
apt-get -y update
apt-get -y install apache2

# put the public ssh key fingerprint in the default webroot
ssh-keygen -lv -f /etc/ssh/ssh_host_ed25519_key > /var/www/html/key
chmod o+r /var/www/html/key

# generate the HMAC of /var/www/html/key
cat /var/www/html/key | openssl dgst -sha256 -hmac "SECRET" > /var/www/html/hmac
chmod o+r /var/www/html/hmac

Replace SECRET.

Then you can access http://your-droplets-ip/key to see the public key and http://your-droplets-ip/hmac to get the HMAC.

To make sure that a MITM hasn’t modified the key file in transit, you can verify the HMAC on your computer:

curl -s http://your-droplets-ip/key | openssl dgst -sha256 -hmac "SECRET"
curl -s http://your-droplets-ip/hmac

The output of these commands must be identical.

Alternatively, you can also have the script email you the key & hmac.

Cheers!

how about as @orric suggests, but instead of your own server display it in the webconsole? e.g.

When creating the droplet, enable “User data” and put in a the following script?

#!/bin/bash
ssh-keygen -lv -f /etc/ssh/ssh_host_ecdsa_key >> /etc/issue

And then clicking the console in the control panel to see the key fingerprint in the pre-login banner? Obviously edit key file to taste.

Hey friend!

Currently the only way to do this would be to log in through the web console and check it there before accepting it over SSH. I suppose no matter how you spin it, you’re accepting something remote as truth, so I don’t know the most flawless answer. It is an interesting thought experiment, I fear it will plague my mind for the remainder of the evening.

Jarland