Question
MITM: The authenticity of host can't be established.
- Posted on February 13, 2017
- SecurityUbuntu 16.04
Asked by Seriously
Hi,
I’ve searched through the questions and am surprised that I haven’t seen an adequate answer to this question yet so maybe I’m missing something.
I created a new Ubuntu droplet and when I try to SSH into it I’m presented with the following warning:
The authenticity of host 'x.x.x.x' can't be established.
ECDSA key fingerprint is SHA256:XwYwckT3ivmDkwGBBRN93ANuzYpvlEvo4DQ+qZo7MB8.
Are you sure you want to continue connecting (yes/no)?
SSH is warning me that there could be a man-in-the-middle attack occurring (thank you SSH!). In order to avoid this I need to verify the fingerprint of my new droplet through a secure channel (i.e., the DigitalOcean web interface). The only promising option I see in the web interface is the Console, which I presume will allow me to log in and view the server logs where I can see the server fingerprint. However, I can’t log in through the console because I added an SSH key to my droplet at creation time and no password was set.
Does this mean that I have to forgo the security of adding an SSH key at droplet creation time so that I can log in via the console to verify my server fingerprint, and then after that add a SSH key manually? It’s considered bad practice to rely on passwords without SSH keys these days so this surprises me.
Thanks for your help in keeping my droplets secure from man-in-the-middle and password attacks.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
I tried creating a droplet again, this time with Debian instead of Ubuntu, and I see the server fingerprints in the console before logging in. I don’t know if it’s because I chose Debian this time or if I just didn’t notice them last time but either way I’m happy now.
Message you see is okay if you see message for first time. And as you say that you created new Droplet, message is valid.
What is this message? SSH have file called
known_hostswhich saves fingerprint for each server you connect to. If you never connected to that server via SSH, you’ll see following warning. Just answer yes to continue and save host for next time. When you login again, you’ll not see warning.If you see warning anytime after first connecting, that is problem and you must verify is everything okay. In this case you’ll not even be able to connect to Droplet.
So as this is first time from this PC, it’s secure to continue.
Thank you for putting the time into such a verbose response. Unfortunately, no one has answered my question yet. You’re both advising me to ignore a possible man-in-the-middle attack which is bad security practice.
It’s possible to verify the server fingerprint on Amazon EC2 during the first connection so I know it can be done and that people other than myself do care about it. See http://ubuntu-smoser.blogspot.com/2010/07/verify-ssh-keys-on-ec2-instances.html