Instruction how to see fingerprints

#1

Unfortunately Scaleway does not allow users to see server fingerprints. But I wrote my own instruction how to see it. You can add it to the docs.

  1. Open console in admin panel
  2. Click reboot in admin panel
  3. When GRUP2 loader appears press “e” key
  4. Find line starting with “linux” command (there will be only one such line) and add to the end of this line this (without quotes): " init=/bin/bash"
  5. Press F10 and wait a prompt appears.
  6. Type “for f in /etc/ssh/*_key.pub; do ssh-keygen -lf $f; done” (without quotes) to see all host fingerprints with different algorithms. It will show base64(sha256(public key)) (without “=” chars in the end). To copy result select the text and drag it to your text editor.
  7. Type “exec /sbin/init” (without quotes) to continue booting. You can now use gotten fingerprints when login via SSH to check there is no attacker between you and your server. Fingerprint displayed on first ssh-connection should be the same as one of fingerprints from step 6 (that have same algorithm as displayed to you on connection).

Also:

  • If you have old ssh then hex(md5(public key)) may be displayed on first connection. You can update your ssh or add “-E md5” option on step 6. So command line on step six will be: “for f in /etc/ssh/*_key.pub; do ssh-keygen -lf $f -E md5; done”
  • If you need fingerprint for only one needed algorithm you can use this commands in step 6:
    ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
    ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
    ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub

I would also suggest you:

  • Currently there is only one item in the GRUB named “Debian GNU/Linux”. You can add second item named “Debian GNU/Linux (console only)”. If you do this getting fingerprint will become easier because user don’t need anymore pressing “e”, finding “linux” line, adding " init=/bin/bash" and pressing F10.
  • Of course it would be much easier if fingerprint will be just displayed in admin panel so user don’t need all this steps to see it.
  • Or at least I would suggest you to add a link to this instruction into server info (e.g. “Fingerprint: (how to see)”).

Without checking fingerprints all creating servers are vulnerable. This can stop many customers that caring security.


If you add the instruction to your docs also replace here https://www.scaleway.com/en/docs/create-and-connect-to-your-server/

this line “Well done, you are now logged into your instance!”
to this: “Well done, you can now log in into your instance! To check fingerprint before that you can use this instruction

And also this line: “You are now logged into your instance from Windows.”
to this: “You can now log in into your instance from Windows. To check fingerprint before that you can use this instruction