1

The Problem(s):

  1. After hitting the login button, Host Key Verification window shows up with host key info. (Not generated by me. Should this be happening by default.)

  2. For Public Key Authentication, I tried generating keypair from client key manager and then I exported public key to my webserver and it said key invalid. (What are the things that could be wrong here?)

  3. If I generate or import keypair, the Host Key Verification window does not show I generated. (This is where you are prompted to accept fingerprint info.)

What I know:

  • It is bad to accept Host key without verifying that your fingerprints matches because bad actors could mess around with your system such as sending virus to your computer or stealing sensitive information.

  • I am assuming that is a dummy Host key info from the software itself. Maybe to insure you have matching fingerprints.

  • Software is encouraging you generate a host key as an added security measure other than password or you can just login with just the Host key.

  • If you click the help link on the software you will see:

Host key manager: Click this link to open Bitvise Host Key Management where you can review the SSH server host keys that you trust. The same host key settings will be used by all Bitvise SSH clients. Host keys are imported by connecting to an SSH server and accepting the host key in the Host Identification Confirmation dialog that appears.

Software source(s):

Other Sources

Improve this question
2
  • 1
    Have you done any web searching trying to find this answer? What have you learned? Also, please note that the Title of the question is not where the question goes, but is to be like an article or book title: telling us ABOUT the question, and then beginning your post with "Is this suppose (sp) to happen?" ldeas to a disjointed post. Perhaps consider EDITING your post to make a more clear description of your system, the problem you're experiencing, the specific details, and the research and things you've tried.
    – music2myear
    Commented Mar 5 at 17:34
  • @music2myear I have edited to the best I can from your suggestions. Also, I tried getting support on this issue with Bitvise, but I would say they aren't very welcoming. So, continue to comment if I'm missing something or need to narrow the problem down further.
    – Jerry Fleurival
    Commented Mar 6 at 22:44

1 Answer 1

Reset to default
0

It sounds like you're confusing two different kinds of public keys in SSH.

There are host keys and there are user keys – they both use the same key format, same algorithms, but they have complete opposite purposes: host keys are received from the server (like TLS certificates); user keys are the ones that would be sent to the server (for user login purposes).

After hitting the login button, Host Key Verification window shows up with host key info. (Not generated by me. Should this be happening by default.)

Yes, because this is the host key – it is received from the server, not sent by you to the server. Hence the name "host key".

(SSH servers indeed generate their host keys by default, without admin involvement. But that has nothing to do with your SSH client software.)

For Public Key Authentication, I tried generating keypair from client key manager and then I exported public key to my webserver and it said key invalid. (What are the things that could be wrong here?)

There are several formats to represent the same keys – the one-line "OpenSSH" format that you'd use in authorized_keys; the multi-line "SSH2" format; even the "PEM" format on occasion. If the server expects an OpenSSH-format public key, you must select that format when exporting.

If I generate or import keypair, the Host Key Verification window does not show I generated. (This is where you are prompted to accept fingerprint info.)

You are generating user keys, but the "Host Key Verification" window is not about that at all – it's not meant to be showing you your own key (there is no point in verifying that); it's showing you the key that identifies the server.

It is bad to accept Host key without verifying that your fingerprints matches because bad actors could mess around with your system such as sending virus to your computer or stealing sensitive information.

They cannot mess around with your system (assuming a non-buggy SSH client).

It is bad to accept Host key without verifying for other reasons – it functions much like TLS certificates in that it verifies which host you're connecting to. If you skip verification, and you're connecting from an untrusted location, then you might be connecting to an attacker's MITM host which will happily steal your SSH passwords and everything else that you send through that SSH connection.

I am assuming that is a dummy Host key info from the software itself. Maybe to insure you have matching fingerprints.

No, it's not. It's real host key information from the server that you're connecting to.

Software is encouraging you generate a host key as an added security measure other than password or you can just login with just the Host key.

Host keys have absolutely nothing to do with user logins. Logging in requires a user key – same concept, same algorithms, but the usage is the complete opposite. (Host keys let the client verify the server; user keys let the server verify the client.)

In most SSH servers, the user keypairs work instead of a password. It is possible to require both a key and a password, but it's uncommon. (I know OpenSSH supports that, I believe Bitvise WinSSHd also does.)

Improve this answer
9
  • Oh okay I see. But, the SHA256 fingerprint does not match.
    – Jerry Fleurival
    Commented Mar 20 at 23:53
  • Which fingerprint seen where doesn't match what?
    – grawity_u1686
    Commented Mar 21 at 4:55
  • The RSA host key fingerprint and the user fingerprint both in a SHA256 format don't match.
    – Jerry Fleurival
    Commented Mar 21 at 10:02
  • They're not supposed to match, because the host key is not the user key; they're two different keys – that's what the entire post was about!
    – grawity_u1686
    Commented Mar 21 at 10:06
  • "SSH servers indeed generate their host keys by default, without admin involvement. But that has nothing to do with your SSH client software." --- As stated by you, I see.
    – Jerry Fleurival
    Commented Mar 21 at 10:19

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .