Discuss this help topic in SecureBlackbox Forum

Check authenticity of an SSH key

SSH does not employ trust chains as used in X.509 PKI and SSH. SSH keys are not signed by any other party who could stand as a guarantor for their authenticity, so you need to use different means for making sure that the key you received from your user or server is genuine. Normally, key authenticity is checked by comparing the fingerprint of the key you received with the fingerprint provided to you via some trusted mechanism, such as secure web site or telephone. After confirming the genuineness of the key, the client can save it to its local trusted keys storage, and use that storage later during subsequent connections to confirm key integrity (by simply checking that the received key is present in the trusted storage).

You can obtain the fingerprint of the received key with FingerprintSHA1String property. This property returns a SHA-1 fingerprint utilised by the majority of third-party SSH software. There is also a FingerprintMD5String property available which returns you an MD5 fingerprint of the key, which might be used by older software.

It also makes sense to check that the key itself is cryptographically valid when checking the fingerprint for the first time. This can be done with IsKeyValid() call.

How To articles about SSH keys

Discuss this help topic in SecureBlackbox Forum