105

The ssh-keygen generates the following output: 

The key fingerprint is:
dd:e7:25:b3:e2:5b:d9:f0:25:28:9d:50:a2:c9:44:97 user@machine
The key's randomart image is:
+--[ RSA 2048]----+
|       .o o..    |
|       o +Eo     |
|        + .      |
|         . + o   |
|        S o = * o|
|           . o @.|
|            . = o|
|           . o   |
|            o.   |
+-----------------+

What is the purpose of this image, does it provide any value for the user? Note this is a client (user) key, not a host key.

derobert
  • 109,670
syntagma
  • 12,311
  • 14
    Try: http://superuser.com/questions/22535/what-is-randomart-produced-by-ssh-keygen – garethTheRed Jul 15 '14 at 21:25
  • Google is your friend : http://sanscourier.com/blog/2011/08/31/what-the-what-are-ssh-fingerprint-randomarts-and-why-should-i-care/ – Nidal Jul 15 '14 at 21:30
  • 3
    reopened since several regulars liked this Q and thought it would be a nice addition to the site. – slm Jul 15 '14 at 22:37
  • 4
    I think this is a good question. While the links above are interesting, neither of them address the question being asked. Both those links talk about the usefulness of the randomart for host keys, not why it is shown for user keys. – phemmer Jul 15 '14 at 22:38
  • 1
    Just an FYI, I sent this question off to the OpenSSH mailing list the other day. So far, crickets. http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-July/032724.html – phemmer Jul 18 '14 at 04:23
  • The SU discussion that @garethTheRed linked is full info on the scenario(s) in which you would benefit form using this visualization. Human assessment of a MITM attack! – New Alexandria Oct 22 '15 at 20:52
  • 1
    @Networker - google brought me here. ;) – Gordon Bean Mar 25 '19 at 21:01

3 Answers3

62

This was explained in this question: https://superuser.com/questions/22535/what-is-randomart-produced-by-ssh-keygen. It doesn't really have any use for the user generating the key, rather it's for ease of validation. Personally. would you rather look at this: (Please note this is a host key example)

2048 1b:b8:c2:f4:7b:b5:44:be:fa:64:d6:eb:e6:2f:b8:fa 192.168.1.84 (RSA)
2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 gist.github.com,207.97.227.243 (RSA)
2048 a2:95:9a:aa:0a:3e:17:f4:ac:96:5b:13:3b:c8:0a:7c 192.168.2.17 (RSA)
2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 github.com,207.97.227.239 (RSA)

Which, being a human, it'd take you a good while longer to verify, or this:

2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 gist.github.com,207.97.227.243 (RSA)
+--[ RSA 2048]----+
|        .        |
|       + .       |
|      . B .      |
|     o * +       |
|    X * S        |
|   + O o . .     |
|    .   E . o    |
|       . . o     |
|        . .      |
+-----------------+
2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 github.com,207.97.227.239 (RSA)
+--[ RSA 2048]----+
|        .        |
|       + .       |
|      . B .      |
|     o * +       |
|    X * S        |
|   + O o . .     |
|    .   E . o    |
|       . . o     |
|        . .      |
+-----------------+

Examples pulled from http://sanscourier.com/blog/2011/08/31/what-the-what-are-ssh-fingerprint-randomarts-and-why-should-i-care/

Essentially, the random art generated by the user's keys can also be used in the same sort of way. If the image generated initially is different from the current image of the key, for example if you had moved a key, then the key had likely been tampered with, corrupted, or replaced.

This, from the other question is a really good read: http://users.ece.cmu.edu/~adrian/projects/validation/validation.pdf

Community
  • 1
Torger597
  • 823
  • 1
    This does not answer the question. The information you are providing is about host keys. The question is asking about user keys. – phemmer Jul 16 '14 at 12:35
  • 8
    I'm afraid that I disagree, the question was: What is the purpose of this image, does it provide any value for the user? And I answered that essentially it has no value for the user generating said key. If I missed something or you'd like for me to add additional examples, etc, please let me know. I'm new here. – Torger597 Jul 16 '14 at 12:38
  • 1
    I agree, that is what was was asked, about user keys, not host keys. – phemmer Jul 16 '14 at 12:40
  • 3
    I used host keys as an example, for the basic principle is there, though I will make up and add a user key example. Thank you for the input, Patrick. – Torger597 Jul 16 '14 at 12:42
14

There seems to be a lot of confusion on the difference between a host key, and a user key.

A host key is used to establish the identity of the remote host to you.
A user key is used to establish the identity of yourself to the remote host.
Since these keys are typically shown as just a sequence of characters, it can be difficult for a human to tell at a glance whether they have changed. This is the purpose of randomart. A small deviation in the key will cause a significantly different randomart image.

As for why you would care, it is important to verify the identity of the remote host, as it is possible that someone could intercept your traffic (MITM attack), and view/manipulate everything sent and received.

It is not important to verify yourself though. You don't need to confirm "yup, I'm me". Even if somehow your user key had changed, the remote server will either let you in, or it wont. Your connection is at no higher risk of eavesdropping.

 

So why then does ssh-keygen show the randomart image when you generate your user key?
Because when the randomart code was introduced to ssh-keygen [grunk@cvs.openbsd.org 2008/06/11 21:01:35], host keys and user keys were generated the exact same way. The extra information output may not be of any use for a user key, but it doesn't hurt (other than potentially causing confusion).

Now, when I said "when the randomart code was introduced", this was because the code has since changed. These days, most distros use ssh-keygen -A to generate host keys, which is a new feature. This feature generates numerous different types of keys (rsa, dsa, ecdsa), and it does not show a randomart image. The old method could still be used for generating host keys, but it generally isn't. So now the old method is only used for user keys, but the randomart feature remains.

phemmer
  • 71,831
  • 1
    You don't need to confirm "yup, I'm me". yes, although it would be a bit more precise to say "yup, I look like me". If you happen to have many keys, you might want to have the extra feedback to make sure you're using the right one. – Alois Mahdal Aug 17 '17 at 20:01
3

https://medium.freecodecamp.com/the-geekiest-ugly-sweater-ever-34a2e591483f#.y1glvah8k

It turns out these randomart are quite useful. As jumbled as they may appear, they’re a lot easier for humans to differentiate between than long strings of hex code.

xgqfrms
  • 131