Didier Stevens

Sunday 1 January 2012

Calculating a SSH Fingerprint From a (Cisco) Public Key

Filed under: Forensics,Networking — Didier Stevens @ 17:03

I’m sure some of you verify SSH fingerprints before you use a SSH server for the first time. You obtain the fingerprint via another channel, and you compare it with the fingerprint your SSH client presents you.

But have you done this with Cisco devices too? Recently I tried to obtain the SSH fingerprint of a Cisco router while connected via the serial console. Turns out there is no CLI command to display the fingerprint (well, at least I didn’t find one). What you can do, is dump the public key with command “show crypto key mypubkey rsa”.

So I developed a small Python program that calculates a SSH fingerprint from the public key. You store the public key in hex format in a file and use that with this new tool.

To calculate the fingerprint, I extract the modulus and exponent from the public key, store them in another format (ssh-rsa) and calculate the MD5 hash.

So now I can connect to a router via the serial console while there’s no “man in the middle”, obtain the public key and calculate the fingerprint. Next when I connect to the same router over SSH, I can validate the fingerprint my SSH client presents me. It’s too bad Cisco provides no feature to get the fingerprint directly.

cisco-calculate-ssh-fingerprint_V0_0_1.zip (https)
MD5: 5A6C3A2C466908EE7EFB06727E8D02B7
SHA256: 831CAF7BBF0F6C584436C42D9CEB252A089487B715ADBB81F9547EEB3ED6B0B8

10 Comments »

  1. [...] Calculating a SSH Fingerprint From a (Cisco) Public Key « Didier Stevens [...]

    Pingback by Unnamed 01/07/2012 | Its way inside — Saturday 7 January 2012 @ 1:09

  2. hi didier,

    en
    sh crypto key mypubkey rsa
    !
    conf t
    !
    ! optionally remove existing key(s) if they are non-exportable
    !
    crypto key zeroize rsa
    !
    conf t
    crypto key generate rsa exportable general-keys label modulus 2048
    !
    do sh crypto key mypubkey rsa
    !
    crypto key export rsa pem terminal 3des
    !

    this will dump the public and private key pair to the terminal.

    Comment by Anonymous — Tuesday 24 January 2012 @ 16:55

  3. But this will also erase the existing keys and then generate a new pair!
    And you don’t need the private key to calculate the fingerprint.

    Comment by Didier Stevens — Tuesday 24 January 2012 @ 23:59

  4. ssh-keygen -l -f key.pub

    Comment by Anonymous — Wednesday 7 March 2012 @ 18:24

  5. Nope:

    $ ssh-keygen -l -f key.pub
    01010105…367\2370
    key.pub is not a public key file.

    Comment by Didier Stevens — Wednesday 7 March 2012 @ 19:17

  6. Thank-you, this is a much better method than my crude connect to host initially and copy the fingerprint into the banner.

    Comment by Anonymous — Tuesday 11 June 2013 @ 4:39

  7. Is it possible that your skript is not working with 2048 Bit Keys? I got the Message “Parse error: incomplete DER encoded key”

    Comment by Anonymous — Tuesday 19 August 2014 @ 16:36

  8. It should work with any key length, but I just checked for 2048 bits and there is a bug in my program (I read the length bytes in LSB order instead of MSB).

    I will release an update, but you can already fix the code yourself:
    On line 65, replace range(countBytes – 1, -1, -1) with range(0, countBytes).

    Let me know if this solves your problem.

    Comment by Didier Stevens — Tuesday 19 August 2014 @ 18:29

  9. Hi, that works for me, Thank you very much!

    Comment by Anonymous — Wednesday 20 August 2014 @ 7:32

  10. […] think there’s more interest for my program to calculate the SSH fingerprint for Cisco IOS since Snowden started with his […]

    Pingback by Update: Calculating a SSH Fingerprint From a (Cisco) Public Key | Didier Stevens — Monday 1 September 2014 @ 20:17


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 230 other followers

%d bloggers like this: