What kind of vulnerability it may have for known ssh-hostkey?

  • I saw there is NSE script in nmap that can retrieve the ssh-hostkey (RSA or DSA) from the target host.

    For example,

    22/tcp open  ssh
    |  ssh-hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)

    Can anyone explain what could happen if we can get ssh-hostkey? Is it a kind of misconfiguration for ssh?

  • guntbert

    guntbert Correct answer

    6 years ago

    This script retrieves only the fingerprint of the public key (shown in your question) and on request the public key itself.

    Shows the target SSH server's key fingerprint and (with high enough verbosity level) the public key itself. It records the discovered host keys in nmap.registry for use by other scripts. Output can be controlled with the ssh_hostkey script argument.

    source nmap.org

    As the public key by definition is public this serves only informational purposes on the client and poses no vulnerability/security threat at all.

    The informational purposes I mentioned might be in the line of:

    • prepopulating the list of known host keys for a SSH/SCP-Client
    • checking if the host keys of servers have changed (to trigger an investigation about the reason, for instance)

    The fingerprint of a public key serves to identify that key (make it easier to recognize) because it might be difficult to see when the complete key (2048 bit = 256 characters) has been altered. The fingerprint (normally called a hash) will be completely different even if only a single bit has been changed.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM