# Connect with OpenSSH

## How to Connect

    $ ssh username@example.com


Replace `username` and `example.com`.

When you first connect, OpenSSH will ask if you trust the server's fingerprints:

    The authenticity of host 'example.com (10.0.0.1)' can't be established.
    ED25519 key fingerprint is SHA256:ofE4jf8n0C+ULqWp4stgCK4+CmFiLl/ysc50azIEkVI.
    This key is not known by any other names
    Are you sure you want to continue connecting (yes/no/[fingerprint])? 


Make sure to first connect using another method to [record the ssh fingerprints](ssh/fingerprints). Or, if you are connecting to IRCNow's servers, check the list of [[published fingerprints](/ircnow/SSHFingerprints).
Make sure to first connect using another method to [record the ssh fingerprints](ssh/fingerprints). Or, if you are connecting to IRCNow's servers, check the list of [[published fingerprints](/ircnow/SSHFingerprints).

**WARNING**: If the fingerprints do not match, do **not** connect# Make sure to alert your sysadmin; sshd may be configured incorrectly, or even worse, there may be a [Man-In-The-Middle Attack](/MITM/intro).

## Check SSH Fingerprints

Serverse can put their SSH fingerprints in DNS using SSHFP records:

    $ ssh -o "VerifyHostKeyDNS ask" username@example.com
    The authenticity of host 'example.com (10.0.0.1)' can't be established.
    ED25519 key fingerprint is SHA256:ofE4jf8n0C+ULqWp4stgCK4+CmFiLl/ysc50azIEkVI.
    Matching host key fingerprint found in DNS.
    This key is not known by any other names
    Are you sure you want to continue connecting (yes/no/[fingerprint])?


Replace `username` and `example.com`.

If SSHFP is set correctly, you should see this line:

    Matching host key fingerprint found in DNS.


DNSSEC should be enabled for better security.

If the host key fingerprint does not match, you might want to reconsider connecting.