Checking Key Fingerprints of SSH Server

Fingerprints are designed to verify the identity of a resource at the moment of connection. Using fingerprints helps protect the company infrastructure against MITM (Man in the Middle) attacks.

Only SHA256 format is supported for fingerprints.

Supported algorithms:

• Ed25519
• ECDSA
• RSA

info

This verification is always enabled and cannot be disabled.

You can select the verification mode in the Authentication of resources using SSH server keys parameter in the Configuration → System settings → SSH connection settings section.

Prerequisites

To work with SSH server key fingerprints, you need Resource Management privileges.

Types of Adding Fingerprints

There are three types for adding SSH server key fingerprints:

• Automatically add key fingerprints to PAM

  In this mode, the fingerprint value is added into the PAM without the participation of the administrator. The fingerprint is saved in PAM only if it has not been set before. The fingerprint is saved at the moment of using a service connection (connection check, password check/rotation, SSH key check/rotation, synchronization) or at the moment of using a user connection (when a user opens a session). The fingerprint is added just once, after which it is only checked, it is not rewritten. Fingerprint verification always occurs.

• Add fingerprints into PAM manually only

  In this mode, adding the fingerprint in the PAM is performed by the PAM administrator. The PAM administrator can manually specify the fingerprint value by selecting one of three available algorithms or obtain a ready-made fingerprint value from a remote host. Fingerprint verification always occurs. If the fingerprint is not added into PAM, the connection is not available.

• Add fingerprints into PAM only manually and check only if they are added

  In this mode, adding the fingerprint in the PAM is performed by the PAM administrator. The PAM administrator can manually specify the fingerprint value by selecting one of three available algorithms or obtain a ready-made fingerprint value from a remote host. The difference between this mode and the previous one is that if the fingerprint is not added into PAM, the fingerprint verification will not be performed. That is, if the fingerprint is not added into PAM, connection to the resource is still available.

  It is not recommended to select this type, as it reduces the level of information security.

Selecting Resources to Add Fingerprints

1. Open the Resources section.
2. Open Extended Search.
3. Select one of the values ​​in the SSH Key Fingerprint field:
   • Does not match in Service Connection or User Connection
     To find resources where the fingerprint value in PAM and the fingerprint value on the resource do not match.
   • Have not set in Service Connection or User Connection
     To search for resources for which the fingerprint is not set in PAM.

Adding Fingerprints

There are three ways to add fingerprints:

• manually
• automatically
• by group operation

Adding Fingerprints Manually

Enter the fingerprint value yourself

To add a fingerprint for a service connection, follow these steps:

1. Open the profile of the desired resource.
2. Click to the right of the Service Connection field.
3. In the SSH Key Fingerprint section, select Specify Manually.
4. Select Algorithm. It is recommended to select Ed25519 because it is the safest option.
5. Enter a value in the Fingerprint field.
6. Click Next.
7. Select the desired service account.
8. Click Save.

To add a fingerprint for a user connection, follow these steps:

1. Open the profile of the desired resource.
2. Find the desired connection with the SSH type and click Edit.
3. In the SSH Key Fingerprint section, select Specify Manually.
4. Select Algorithm. It is recommended to select Ed25519 because it is the safest option.
5. Enter a value in the Fingerprint field.
6. Click Save.

Get the fingerprint value from a resource

To add a fingerprint for a service connection, follow these steps:

1. Open the profile of the desired resource.
2. Click to the right of the Service Connection field.
3. In the SSH Key Fingerprint section, select Get from resource.
4. Click Use fingerprint value from resource.
5. Click Next.
6. Select the desired service account.
7. Click Save.

Для добавления отпечатка для пользовательского подключения выполните следующие действия:

1. Open the profile of the desired resource.
2. Find the desired connection with the SSH type and click Edit.
3. In the SSH Key Fingerprint section, select Get from resource.
4. Click Use fingerprint value from resource.
5. Click Save.

Adding Fingerprints Automatically

caution

This method only works if the Automatically add key fingerprints to PAM mode is selected in the SSH connection settings.

Fingerprints for the service connection are set automatically at the time of using the service connection, for example:

• connection check
• password or SSH key check/rotation, SSH key check/rotation
• synchronization

Fingerprints for a user connection are also set automatically at the time the user connection is used, that is, when the user opens a session.

info

In automatic mode, fingerprints are only added, but not overwritten.

Adding Fingerprints by a Group Operation

This operation allows you to set fingerprints for multiple resources at once. To do this, follow these steps:

1. Open the Resources section.
2. Select one or more resources that have a service and/or user connection of type SSH and no key fingerprint specified.
3. Click Get fingerprint from resource and confirm the action with the Next button.

info

With this operation, fingerprints are only added if the fingerprint value was not specified, i.e. existing fingerprints are not overwritten.

Additional Information on SSH Key Fingerprints

• The SSH Key Fingerprint attribute is associated with a connection, not a resource. Therefore, both types of connections (service and user) have their own attribute for the SSH key fingerprint. This is done for cases when there is more than one SSH server installed on the remote host. The presence or absence of a fingerprint on one connection does not affect the operation of the other. Therefore, fingerprint values ​​for different connections of the same resource may contain different values.

• The SSH key fingerprint is verified before authentication on the resource, i.e. before the credentials are transferred to the resource.

• If the Add fingerprints to PAM only manually mode is selected in the SSH connection settings and the attribute for the fingerprint in PAM is left unset, then connection to the resource will be unavailable. An event about an unsuccessful connection will appear in the log, and a red warning will appear on the resource page describing the cause of the error, listing the mismatched fingerprints, and indicating the connection type.

• If the Add fingerprints to PAM only manually mode is selected in the SSH connection settings, the attribute for the fingerprint in PAM is filled in, and the resource does not have a key for the specified algorithm or does not have any keys, then connection to the resource will be unavailable. An event about an unsuccessful connection will appear in the log, and a red warning will appear on the resource page describing the cause of the error, listing the mismatched fingerprints, and indicating the connection type.

• To correct the fingerprint mismatch error, you need to re-obtain the SSH key fingerprint from the remote host, for more details, see Adding Fingerprints.