转发端口的 RSA 密钥指纹代表什么？

Question

我对 RSA 指纹的理解是它基本上是一个哈希密钥。

我对转发端口的理解是根据以下部分man ssh：

 -R [bind_address:]port:host:hostport
         Specifies that the given port on the remote (server) host is to
         be forwarded to the given host and port on the local side.  This
         works by allocating a socket to listen to port on the remote
         side, and whenever a connection is made to this port, the connec?
         tion is forwarded over the secure channel, and a connection is
         made to host port hostport from the local machine.

使用 ssh 连接到转发端口时，散列的 RSA 密钥指纹是什么？ 在多台机器上使用相同的 RSA 身份验证密钥将说明我为什么要问。

或者通过例子，下面的两个指纹实际上是什么？

1. RSA 密钥指纹为 94:21:d2:fc:70:2d:8d:bb:71:30:0f:4d:52:49:01:43。
2. RSA 密钥指纹为 b2:5b:19:25:91:50:3c:45:73:c7:7e:4f:da:c3:f6:f3。

获取第一个指纹

机器1

sshtunnel@pi_one:~ $ ssh -R 2222:localhost:22 sshtunnel@192.168.1.10

普通机

[sshtunnel@devserver ~]$ ssh -p 2222 sshtunnel@localhost
The authenticity of host '[localhost]:2222 ([::1]:2222)' can't be established.
RSA key fingerprint is 94:21:d2:fc:70:2d:8d:bb:71:30:0f:4d:52:49:01:43.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.

获取第二个指纹

机器2

sshtunnel@pi_two:~ $ ssh -R 2222:localhost:22 sshtunnel@192.168.1.10

普通机

[sshtunnel@devserver ~]$ ssh -p 2222 sshtunnel@localhost
The authenticity of host '[localhost]:2222 ([::1]:2222)' can't be established.
RSA key fingerprint is b2:5b:19:25:91:50:3c:45:73:c7:7e:4f:da:c3:f6:f3.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
[sshtunnel@devserver ~]$

Answer 1

主机的公钥在/etc/ssh/ssh_host_*_key.pub：

$ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is 60:6e:7a:10:85:a4:14:f1:37:44:88:17:29:67:b1:e1.
Are you sure you want to continue connecting (yes/no)? ^C

$ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
256 60:6e:7a:10:85:a4:14:f1:37:44:88:17:29:67:b1:e1 /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)

（请注意，如果您要求ssh-keygen提供私钥的指纹（没有.pub扩展名）并不重要，它会自动读取相应的公钥。）

在您的情况下，它是提到的 RSA 密钥，因此/etc/ssh/ssh_host_rsa_key.pub，通过端口转发，它是ssh最终连接到的主机。

对于较新版本的ssh-keygen，默认输出是密钥的 base64 编码的 SHA256 哈希。添加该-E md5选项会给出十六进制编码的 MD5 散列（但请注意，现在有一个指示散列类型的前缀）：

$ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
256 SHA256:4+dfNAIjGq72HL9UeNEpne8J54yj/4wFpi+/4Bv7dhQ root@... (ECDSA)
$ ssh-keygen -Emd5 -l -f /etc/ssh/ssh_host_ecdsa_key.pub
256 MD5:3c:18:e7:9c:ee:e8:6a:38:7d:74:ef:2f:a5:51:ee:1a root@... (ECDSA)