What's the purpose of the randomart image for user (not host) SSH keys?

The ssh-keygen generates the following output:

The key fingerprint is:
dd:e7:25:b3:e2:5b:d9:f0:25:28:9d:50:a2:c9:44:97 user@machine
The key's randomart image is:
+--[ RSA 2048]----+
|       .o o..    |
|       o +Eo     |
|        + .      |
|         . + o   |
|        S o = * o|
|           . o @.|
|            . = o|
|           . o   |
|            o.   |
+-----------------+

What is the purpose of this image, does it provide any value for the user? Note this is a client (user) key, not a host key.

Asked By: syntagma

||

This was explained in this question: https://superuser.com/questions/22535/what-is-randomart-produced-by-ssh-keygen.
It doesn’t really have any use for the user generating the key, rather it’s for ease of validation. Personally. would you rather look at this: (Please note this is a host key example)

2048 1b:b8:c2:f4:7b:b5:44:be:fa:64:d6:eb:e6:2f:b8:fa 192.168.1.84 (RSA)
2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 gist.github.com,207.97.227.243 (RSA)
2048 a2:95:9a:aa:0a:3e:17:f4:ac:96:5b:13:3b:c8:0a:7c 192.168.2.17 (RSA)
2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 github.com,207.97.227.239 (RSA)

Which, being a human, it’d take you a good while longer to verify, or this:

2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 gist.github.com,207.97.227.243 (RSA)
+--[ RSA 2048]----+
|        .        |
|       + .       |
|      . B .      |
|     o * +       |
|    X * S        |
|   + O o . .     |
|    .   E . o    |
|       . . o     |
|        . .      |
+-----------------+
2048 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 github.com,207.97.227.239 (RSA)
+--[ RSA 2048]----+
|        .        |
|       + .       |
|      . B .      |
|     o * +       |
|    X * S        |
|   + O o . .     |
|    .   E . o    |
|       . . o     |
|        . .      |
+-----------------+

Examples pulled from http://sanscourier.com/blog/2011/08/31/what-the-what-are-ssh-fingerprint-randomarts-and-why-should-i-care/

Essentially, the random art generated by the user’s keys can also be used in the same sort of way. If the image generated initially is different from the current image of the key, for example if you had moved a key, then the key had likely been tampered with, corrupted, or replaced.

This, from the other question is a really good read:
http://users.ece.cmu.edu/~adrian/projects/validation/validation.pdf

Answered By: Torger597

There seems to be a lot of confusion on the difference between a host key, and a user key.

A host key is used to establish the identity of the remote host to you.
A user key is used to establish the identity of yourself to the remote host.
Since these keys are typically shown as just a sequence of characters, it can be difficult for a human to tell at a glance whether they have changed. This is the purpose of randomart. A small deviation in the key will cause a significantly different randomart image.

As for why you would care, it is important to verify the identity of the remote host, as it is possible that someone could intercept your traffic (MITM attack), and view/manipulate everything sent and received.

It is not important to verify yourself though. You don’t need to confirm “yup, I’m me”. Even if somehow your user key had changed, the remote server will either let you in, or it wont. Your connection is at no higher risk of eavesdropping.

 

So why then does ssh-keygen show the randomart image when you generate your user key?
Because when the randomart code was introduced to ssh-keygen [grunk@cvs.openbsd.org 2008/06/11 21:01:35], host keys and user keys were generated the exact same way. The extra information output may not be of any use for a user key, but it doesn’t hurt (other than potentially causing confusion).

Now, when I said “when the randomart code was introduced”, this was because the code has since changed. These days, most distros use ssh-keygen -A to generate host keys, which is a new feature. This feature generates numerous different types of keys (rsa, dsa, ecdsa), and it does not show a randomart image. The old method could still be used for generating host keys, but it generally isn’t. So now the old method is only used for user keys, but the randomart feature remains.

Answered By: phemmer

https://medium.freecodecamp.com/the-geekiest-ugly-sweater-ever-34a2e591483f#.y1glvah8k

It turns out these randomart are quite useful. As jumbled as they may
appear, they’re a lot easier for humans to differentiate between than
long strings of hex code.

Answered By: xgqfrms
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.