In order to prevent a [Man-In-The-Middle attack (MITM)](MITM/intro), SSH requires you to check the fingerprints of the server you connect to. Fingerprints for the IRCNOW network servers can be found [[ here](/Ircnow.SSHFingerprints ) for example. In order to prevent a [Man-In-The-Middle attack (MITM)](MITM/intro), SSH requires you to check the fingerprints of the server you connect to. Fingerprints for the IRCNOW network servers can be found [[ here](/Ircnow.SSHFingerprints ) for example. ## Your SSH Fingerprints When ssh server is installed, it stores its keys in /etc/ssh. You can run this script to quickly get the ssh fingerprints for all your keys: ssh-keygen -E md5 -lf /etc/ssh/ssh_host_dsa_key.pub ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ecdsa_key.pub ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ed25519_key.pub ssh-keygen -E md5 -lf /etc/ssh/ssh_host_rsa_key.pub ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub The first four fingerprints use MD5 hashing, which is used by PuTTY. The last four uses SHA256 hashing, which is used by [OpenSSH](/openssh/intro). ## Publish SSHFP A convenient place to publish ssh fingerprints is in DNS using SSHFP records: $ ssh-keygen -r example.com. example.com IN SSHFP 1 1 7251d06cf5cf9312b502388edd93ff924c52a73a example.com IN SSHFP 1 2 a0f433e68e5ba29f23825b21a23660d94a5b8a814cd71827fb75cfb4e84e4c49 example.com IN SSHFP 2 1 22ccda0cafee42f3e2cc53d5f695244677a1a88f example.com IN SSHFP 2 2 88fbc099391d1e37330409978e68bdeebc50fe9bc41c5e2fd4a2d29ecde20409 example.com IN SSHFP 3 1 c9a19b42a7165596f0d0e5bfa947232978901dcb example.com IN SSHFP 3 2 6a9facbb8693644063b1eee91cfce24ada5536ff52df98210fae3d350fffaf34 example.com IN SSHFP 4 1 4dc3d59ef28733c89f83e0e078b10a4a816e2a04 example.com IN SSHFP 4 2 a1f1388dff27d02f942ea5a9e2cb6008ae3e0a61622e5ff2b1ce746b32049152 Replace `example.com.` with your domain, making sure to include the final period for a [fully qualified domain name (FQDN)](dns/FQDN). ssh will generate all of your SSHFP records for you, which can then be added to your [[nameserver's zone](/nsd/zone) files. Replace `example.com.` with your domain, making sure to include the final period for a [fully qualified domain name (FQDN)](dns/FQDN). ssh will generate all of your SSHFP records for you, which can then be added to your [[nameserver's zone](/nsd/zone) files. SSHFP records follow this format: [] [] SSHFP || border=1 width=100%25 class="simpletable" ||# Keyword ||# Meaning || || TTL || Time to live (seconds) || || Protocol || IN for Internet || || Algorithm || 0: reserved; 1: RSA; 2: DSA, 3: ECDSA; 4: Ed25519 || || Type || Hash -- 0: reserved; 1: SHA-1; 2: SHA-256) || || Fingerprint || Hexadecimal of hash ||