'The server's host key is unknown' warning

Overview

This article explains how to verify you're connecting to a DreamHost server and that your connection is secure. If you follow the steps in this article and the fingerprint values do not match what shows in your DreamHost panel, DO NOT CONNECT to the server. Contact DreamHost support so they may investigate why the fingerprints are different.

Every DreamHost server has several unique SSH keys assigned to it. These keys are used to identify the server and ensure your connection is safe and trusted. When you first use an SSH program or terminal to connect to your server, it checks the keys. Since they are not currently stored on your computer, you will see the following warning:

The server's host key is unknown. You have no guarantee that the server is the computer you think it is.

This article explains how to verify that the key you're seeing is correct. You can then continue to log into the server safely.

Verifying the fingerprint using an FTP client

The following examples must be run in an SSH terminal. View the following articles for further information:

To confirm if this is the correct server, navigate to the SSH Keys page. On that page, you'll see your server along with its matching Fingerprints.

For example:

 Panel server host keys

Compare the two to confirm it's the same server. You can then accept the warning and log in normally.

Using SSH to verify the server's fingerprint

You can use SSH to verify the server's fingerprint using a few commands. Please note that some commands only work on specific versions of OpenSSH. To verify your current version, run the following command:

[server]$ ssh -V

This responds with the version number. There are a few command that do NOT work if the version is lower than 6.8.

The following examples are going to use the fingerprints from the shared server named batroc:

Panel SSH keys fingerprints

Using OpenSSH version 7.6p1

A common command to run is: FingerprintHash.

Check the RSA (MD5) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=md5 batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
RSA key fingerprint is MD5:a1:85:cc:7b:06:c9:14:f3:a8:38:7a:95:76:f1:17:eb.

Check the RSA (SHA256) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=sha256  batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
RSA key fingerprint is SHA256:mYNdKXseiTyZVeIdXNqy8rJTfrKnBo2QG1XK9DdUSYc.

Check the ECDSA (MD5) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 -o FingerprintHash=md5 batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
ECDSA key fingerprint is MD5:08:88:80:ff:e8:dd:4a:4f:6b:3a:64:cf:8c:84:f2:13.

Check the ECDSA (SHA256) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 -o FingerprintHash=sha256 batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
ECDSA key fingerprint is SHA256:ijqWGQW20bkvOViujUO5PRknle09aDPUjh25u60T7eQ.

Check the ED25519 (MD5) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ssh-ed25519 -o FingerprintHash=md5  batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
ED25519 key fingerprint is MD5:c9:aa:b8:02:0c:ca:46:59:63:17:16:0a:7c:26:c6:24.

Check the ED25519 (SH256) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ssh-ed25519 -o FingerprintHash=sha256  batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
ED25519 key fingerprint is SHA256:q3JfuvuldJy5u/ETWHW7HBQ3Zqn763z/CWlumFuOH3s.

Using OpenSSH lower than 6.8

As mentioned above, the 'FingerprintHash' command does not work on OpenSSH versions lower than 6.8. However you can run ssh-keyscan to download the public key, then check its fingerprints.

First, download the public key from the server.

Depending on the version of OpenSSH you're using, only certain keys will be downloaded. Versions lower than 6.8 will default to MD5.

[server]$ ssh-keyscan batroc.dreamhost.com > batrockeys.pub

You can now check the keys in that file for their fingerprints. Only the fingerprints of the keys you downloaded will display. This prints the RSA (MD5) and ECDSA (MD5) fingerprints.

[server]$ ssh-keygen -l -f batrockeys.pub
2048 a1:85:cc:7b:06:c9:14:f3:a8:38:7a:95:76:f1:17:eb batroc.dreamhost.com (RSA)
256 08:88:80:ff:e8:dd:4a:4f:6b:3a:64:cf:8c:84:f2:13 batroc.dreamhost.com (ECDSA)

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?