Start a conversation

What are the SSH Host keys?

The SSH host keys are to identify that your connection to the server is direct and that there is no man in the middle attack (MITM attack).

Our host key for the Simple FTP Service is:

2048 SHA256:vgxrsQY4LuABBPrAIdBHQSF+UQgF5PuWzsqtLYSAua4 support@docevent.io (RSA)
2048 MD5:f3:d6:0d:1d:a0:98:33:4f:b5:ef:f3:0d:e5:e5:e4:9f support@docevent.io (RSA)

How do I use the host key?

The first time you login to our server via sftp it will present you with a host key fingerprint, these should match to the above, if not then you are not connecting to our server, for example:

$ sftp uuid1234/username@sfs-ap-southeast-2.docevent.io
The authenticity of host 'sfs-ap-southeast-2.docevent.io (54.66.204.53)' can't be established.
RSA key fingerprint is SHA256:vgxrsQY4LuABBPrAIdBHQSF+UQgF5PuWzsqtLYSAua4.
Are you sure you want to continue connecting (yes/no)? 

After checking the fingerprint is authentic, you can now continue your session by choosing yes.

The key is then added into a list of safe keys for this hostname and you will not be asked this question again.

How do I identify a man in the middle attack?

If for some reason the fingerprint is changed and it does not match up against the stored fingerprint from your earlier connection, you will receive a message:

$ sftp uuid1234/username@sfs-ap-southeast-2.docevent.io
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:1ugNm50ITJ8CQOkw6JvDZc47KezXUg5DTZ7Y3H3mVsA.
Please contact your system administrator.

At this point you need to further investigate as to why you are receiving this message.  There are a few possibilities, but it is generally because traffic is being routed to another server not owned by DocEvent.io.  Some examples are:

  • DNS has been altered
  • Internet routing tables are modified

For more information take a look at man in the middle - Wikipedia

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Mariusz

  2. Posted

Comments