The server's host key is unknown

This article explains how to verify you're connecting to a DreamHost server and that your connection is secure. If you follow the steps in this article and the fingerprint values do not match what shows in your DreamHost panel, DO NOT CONNECT to the server. Contact DreamHost support so they may investigate why the fingerprints are different.

Verifying the fingerprint using an FTP client

The following examples must be ran in an SSH terminal. View the following articles for further information:

When you originally log into a DreamHost server, you may see the following warning:

The server's host key is unknown. You have no guarantee that the server is the computer you think it is.

For example:

To confirm if this is the correct server, navigate to the SSH Keys page. On that page, you'll see your server along with its matching Fingerprints. 

For example:

Compare the two to confirm it's the same server. You can then accept the warning and log in normally.

Using SSH to verify the server's fingerprint

You can use SSH to verify the server's fingerprint using a few commands. Please note that some commands only work on specific versions of OpenSSH. To verify your current version, run the following command:

[server]$ ssh -V

This responds with the version number. There are a few command that do NOT work if the version is lower than 6.8.

The following examples are going to use the fingerprints from the Shared server named batroc:

Using OpenSSH version 7.6p1

A common command to run is: FingerprintHash.

Check the RSA (MD5) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=md5 batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
RSA key fingerprint is MD5:a1:85:cc:7b:06:c9:14:f3:a8:38:7a:95:76:f1:17:eb.

Check the RSA (SHA256) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=sha256  batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
RSA key fingerprint is SHA256:mYNdKXseiTyZVeIdXNqy8rJTfrKnBo2QG1XK9DdUSYc.

Check the ECDSA (MD5) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 -o FingerprintHash=md5 batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
ECDSA key fingerprint is MD5:08:88:80:ff:e8:dd:4a:4f:6b:3a:64:cf:8c:84:f2:13.

Check the ECDSA (SHA256) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ecdsa-sha2-nistp256 -o FingerprintHash=sha256 batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
ECDSA key fingerprint is SHA256:ijqWGQW20bkvOViujUO5PRknle09aDPUjh25u60T7eQ.

Check the ED25519 (MD5) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ssh-ed25519 -o FingerprintHash=md5  batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
ED25519 key fingerprint is MD5:c9:aa:b8:02:0c:ca:46:59:63:17:16:0a:7c:26:c6:24.

Check the ED25519 (SH256) fingerprint

[server]$ ssh -o HostKeyAlgorithms=ssh-ed25519 -o FingerprintHash=sha256  batroc.dreamhost.com
The authenticity of host 'batroc.dreamhost.com (67.205.12.21)' can't be established.
ED25519 key fingerprint is SHA256:q3JfuvuldJy5u/ETWHW7HBQ3Zqn763z/CWlumFuOH3s.

Using OpenSSH lower than 6.8

As mentioned above, the 'FingerprintHash' command does not work on OpenSSH versions lower than 6.8. However you can run ssh-keyscan to download the public key, then check its fingerprints.

First, download the public key from the server.

Depending on the version of OpenSSH you're using, only certain keys will be downloaded. Versions lower than 6.8 will default to MD5.
[server]$ ssh-keyscan batroc.dreamhost.com > batrockeys.pub

You can now check the keys in that file for their fingerprints. Only the fingerprints of the keys you downloaded will display. This prints the RSA (MD5) and ECDSA (MD5) fingerprints.

[server]$ ssh-keygen -l -f batrockeys.pub
2048 a1:85:cc:7b:06:c9:14:f3:a8:38:7a:95:76:f1:17:eb batroc.dreamhost.com (RSA)
256 08:88:80:ff:e8:dd:4a:4f:6b:3a:64:cf:8c:84:f2:13 batroc.dreamhost.com (ECDSA)

Generate a hash of a different key

As stated above, only certain keys will download based on the version of OpenSSH you're using. However, you can generate a hash of a different key if needed.

Generate an RSA (SHA256) hash based on the RSA (MD5) key

This assumes that when you run ssh-keyscan, only the MD5 keys are downloaded. Use 'cat' to view the keys:

[server]$ cat batrockeys.pub
batroc.dreamhost.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFc4bKkZW+0bb+UYtDZwH/IAT5V4ybLlJWJ4cp7Ny3c4767aQheZr5ifcAEc+itEqnGPWIQ/qxbKZnw6F5dBXggbx+KIZX7JXDfJqNkFuVz3mKsvKxu0qGw2/b40dRiUe0+cAxamR73YNpCeCZuo515lJCw4eVo3BJtnHetT/yF9xtdGPQm334yDHunEtUgKFzqyEDEolFtL5FZcPP137RgfMdp+BWQj8tOiodmcUlA1kEhkN63JRcSsSJhd1FFAA4PoiyvsPm+PGUCIFwzKW13SXEIi0GQ2J8Rl3YW7B/H1HXCDGfT75T1OhP3mGN3H8Es9ieq/1kKTyzscq6C30z
batroc.dreamhost.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDIXGPnE5gz3j8vzl8LeboCFAkcZ0L76ld5Y4knIghV+tTxOrUW2M3m6bN3qNJK9U8oJLiTafotQ/Js4JUTY8L8=

You can see that there are two keys in this file. You must delete one of them (or more) so only a single key is left. Open the file and delete the second line so only one line for a single key is left.

You can now run the following command to generate a SHA256 hash based on that single key.

[server]$ awk '{print $3}' batrockeys.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64
mYNdKXseiTyZVeIdXNqy8rJTfrKnBo2QG1XK9DdUSYc=

As you can see, this prints out the RSA (SHA256) fingerprint. If you would have deleted the first key instead, the output would show the ECDSA (SHA256) fingerprint.

[server]$ awk '{print $3}' batrockeys.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64
ijqWGQW20bkvOViujUO5PRknle09aDPUjh25u60T7eQ=

See also

Did this article answer your questions?

Article last updated PST.