Get the fingerprint of the current machine
Sometimes you get the following warning when trying to connect to a machine:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ED25519 key sent by the remote host is SHA256:░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░.
If you have physical access to that machine, you may wonder, “What is the fingerprint of this machine?”.
If it has a /etc/ssh/ssh_host_ed25519_key.pub
(for example) you’d run:
$ ssh-keygen -E sha256 -lf /etc/ssh/ssh_host_ed25519_key.pub 256 SHA256:░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ root@░░░░░ (ED25519)
SSH Agent
Add an identity, but only for 8 hours:
ssh-add -t 8h ~/.ssh/id_rsa
SSH agent things to check out
- You can limit where SSH agent allows keys to be used, see the “
-h
” option inman ssh-add
.
GNOME Keyring
GNOME Keyring loads its own SSH agent that automatically loads all files in ~/.ssh/
(see this article on GNOME Wiki).
I kinda don’t like this behavior and would prefer only loading certain keys explicitly.
The reason being I’ve got a lot of keys, and if SSH tries everything I end up getting authentication failures for trying too many keys.
I think SSH agent is getting split out of GNOME keyring in the future (a commit from October 2023 shows ssh agent being disabled by default in builds of gnome-keyring
).
Running commands on remote host
Here’s an example of running pg_dump
to make a backup of the data in a PostgreSQL table:
ssh somehost pg_dump --format=plain --table=public.sometable --dbname=somedb --data-only --inserts --on-conflict-do-nothing > mybackup.sql