Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / f6bffb13911564cc80c01c10b71acfba4f315315^! / . / ssh.1
commitf6bffb13911564cc80c01c10b71acfba4f315315[log] [tgz]
authorDarren Tucker <dtucker@zip.com.au>Sat Jun 14 09:04:26 2008 +1000
committerDarren Tucker <dtucker@zip.com.au>Sat Jun 14 09:04:26 2008 +1000
tree3f00bee376dfd1165a023ac1a000614bb297509f
parent03ccc9b142519ac8167951fac27d977dc280b79a [diff] [blame]
   - grunk@cvs.openbsd.org 2008/06/13 20:13:26
     [ssh.1]
     Explain the use of SSH fpr visualization using random art, and cite the
     original scientific paper inspiring that technique.
     Much help with English and nroff by jmc@, thanks.

diff --git a/ssh.1 b/ssh.1
index e191bf0..e975dae 100644
--- a/ssh.1
+++ b/ssh.1

@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.273 2008/02/11 07:58:28 jmc Exp $
-.Dd $Mdocdate: February 11 2008 $
+.\" $OpenBSD: ssh.1,v 1.274 2008/06/13 20:13:26 grunk Exp $
+.Dd $Mdocdate: June 13 2008 
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -1027,9 +1027,31 @@
 .Pp
 .Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
 .Pp
-If the fingerprint is already known,
-it can be matched and verified,
-and the key can be accepted.
+If the fingerprint is already known, it can be matched
+and the key can be accepted or rejected.
+Because of the difficulty of comparing host keys
+just by looking at hex strings,
+there is also support to compare host keys visually,
+using
+.Em random art .
+By setting the
+.Cm CheckHostIP
+option to
+.Dq fingerprint ,
+a small ASCII graphic gets displayed on every login to a server, no matter
+if the session itself is interactive or not.
+By learning the pattern a known server produces, a user can easily
+find out that the host key has changed when a completely different pattern
+is displayed.
+Because these patterns are not unambiguous however, a pattern that looks
+similar to the pattern remembered only gives a good probability that the
+host key is the same, not guaranteed proof.
+.Pp
+To get a listing of the fingerprints along with their random art for
+all known hosts, the following command line can be used:
+.Pp
+.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
+.Pp
 If the fingerprint is unknown,
 an alternative method of verification is available:
 SSH fingerprints verified by DNS.
@@ -1433,6 +1455,13 @@
 .%T "The Secure Shell (SSH) Public Key File Format"
 .%D 2006
 .Re
+.Rs
+.%T "Hash Visualization: a New Technique to improve Real-World Security"
+.%A A. Perrig
+.%A D. Song
+.%D 1999
+.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
+.Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.