dropbearkey question...

[Ed Sutter]

I'm confused, so I'd like to re-phrase my question (below) a bit...
Assume I start up a dropbear server on a machine (ignore my embedded case).
I do that with the following commands...

    dropbearkey -t dss -f dropbear_dss_host_key
    dropbearkey -t rsa -f dropbear_rsa_host_key
    dropbear -F -r dropbear_rsa_host_key -d dropbear_dss_host_key

Now I attempt to connect to this server using ssh and I get the message:

    The authenticity of host '135.222.138.20 (135.222.138.20)' can't be
    established.
    RSA key fingerprint is c5:36:7f:8c:c8:d6:d6:0c:53:45:61:76:f6:d0:91:4e.
    Are you sure you want to continue connecting (yes/no)?

Assume I want to be anal and want to verify that I'm *really* connecting 
to my server.
If I have access to the console of the machine running the server, then 
how do I verify
that the fingerprint given to me by the client is in fact from the 
server that I assume I
am connected to?

I *thought* I could use "dropbearkey -y dropbear_rsa_host_key" on the 
server,
and it would give me that same fingerprint as is presented at the client 
in the
warning message, but that gives me a different fingerprint.
What am I doing wrong here or why am I confused?

Ed


> Hi,
> I now have the dropbearkey code integrated into my embedded stuff.
> I assume the idea is to call this function each time the server starts 
> up.
>
> Then each time the server starts, future client connections will 
> reject the
> server connection until $HOME/.ssh/known_hosts is purged of that server's
> key information.
>
> Correct so far?
> Assuming yes...
>
> Then, the user of the client has to accept the new credentials based on
> the RSA key fingerprint from the server.  So, shouldn't the message that
> comes out of the client reflect the same fingerprint as that which was
> printed when the key was created on the server?
>
> (mine doesn't)
> Ed
>