If you use SSH to access remote servers, the ssh client will prompt you each time you connect to a new server, and ask you to accept the servers host key:
$ ssh mail.me.net
The authenticity of host ‘mail.me.net (1.2.3.4)’ can’t be established. RSA key fingerprint is 72:c6:5f:e7:85:c8:23:5f:c6:c9:99:88:dd:aa:bb:dd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘mail.me.net,1.2.3.4’ (RSA) to the list of known hosts. matty@mail.me.net’s password:
How do you determine if the fingerprint presented is valid? The easiest way to validate the key is to login to the server through the console and run the ssk-keygen utility with the “-l” (list fingerprint) and “-f” (file to check) options:
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
2048 72:c6:5f:e7:85:c8:23:5f:c6:c9:99:88:dd:aa:bb:dd
ssh_host_rsa_key.pub
If you can’t access the console, you can ask someone who already has access to read off the ssh-keygen output. While it’s a bit of a pain, it is a small step in the name of secure access.