Question

MITM: The authenticity of host can't be established.

Hi,

I’ve searched through the questions and am surprised that I haven’t seen an adequate answer to this question yet so maybe I’m missing something.

I created a new Ubuntu droplet and when I try to SSH into it I’m presented with the following warning:

The authenticity of host 'x.x.x.x' can't be established.
ECDSA key fingerprint is SHA256:XwYwckT3ivmDkwGBBRN93ANuzYpvlEvo4DQ+qZo7MB8.
Are you sure you want to continue connecting (yes/no)?

SSH is warning me that there could be a man-in-the-middle attack occurring (thank you SSH!). In order to avoid this I need to verify the fingerprint of my new droplet through a secure channel (i.e., the DigitalOcean web interface). The only promising option I see in the web interface is the Console, which I presume will allow me to log in and view the server logs where I can see the server fingerprint. However, I can’t log in through the console because I added an SSH key to my droplet at creation time and no password was set.

Does this mean that I have to forgo the security of adding an SSH key at droplet creation time so that I can log in via the console to verify my server fingerprint, and then after that add a SSH key manually? It’s considered bad practice to rely on passwords without SSH keys these days so this surprises me.

Thanks for your help in keeping my droplets secure from man-in-the-middle and password attacks.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

I tried creating a droplet again, this time with Debian instead of Ubuntu, and I see the server fingerprints in the console before logging in. I don’t know if it’s because I chose Debian this time or if I just didn’t notice them last time but either way I’m happy now.

I received the below message - please check it

➜ ~ git:(master) ✗ ssh-copy-id root@xxx.xxx.xx.xxx /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys Permission denied (publickey). ➜ ~ git:(master) ✗

Thank you for answering.

What makes it OK if I see the message for the first time? You write “as this is first time from this PC, it’s secure to continue.” How do you know that? How do you know there isn’t a man in the middle attack occurring the first time?

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.