SSH/PuTTY question

[davel]

I have recently got my first VPS account and am confusing about logging into the SSH.

I am using PuTTY on Windows to connect to my Linux VPS. The PuTTY documentation says
"Whether or not to trust the host key is your choice. If you are connecting within a company network, you might feel that all the network users are on the same side and spoofing attacks are unlikely, so you might choose to trust the key without checking it. If you are connecting across a hostile network (such as the Internet), you should check with your system administrator, perhaps by telephone or in person. (Some modern servers have more than one host key. If the system administrator sends you more than one fingerprint, you should make sure the one PuTTY shows you is on the list, but it doesn't matter which one it is.)
"

When I connect to my VPS's IP address I get a message in PuTTY "The server's host key is not cached in the registry. There is no guarantee that the server is the computer that you think it is. The server's rsa-2 fingerprint key is ..... Do you trust this host?"

I want to know what my server's rsa2-fingerprint is before I click Yes to trust it. I asked LiveSupport but they guy said just to trust it. This seems to defeat the purpose of SSH . I haven't validated the identity of the computer I am talking to. How can I trust it? It might be conducting a Man In The Middle attack.

Can someone tell me if I can get the fingerprint in advance to compare it to?

A url which I cannot add as I have not made five posts (search on google for PuTTY "if you trust this host" umanitoba ), for example, gives the fingerprint of their server to compare to for their PuTTY users, so I don't see why my server should be any different.
Thanks
dave.

[Rock]

Dave,

When you try to login to a server using PuTTY, for the first time from a Linux machine, you're sure to get the following dialog box:

# ssh user@example.com
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'example.com' added to the list of known hosts.
user@example.com's password: *******

The login will continue just as it would have if a session was created using rlogin or telnet. SSH utilizes a key fingerprint system for verifying the authenticity of the server when the client connects. The user is prompted to enter yes only when connecting for the first time. Future attempts to login are all verified against the saved fingerprint key. The SSH client will alert you if the saved fingerprint differs from the received fingerprint on future login attempts. The fingerprints are saved in ~/.ssh/known_hosts, or ~/.ssh/known_hosts2 for SSH v2 fingerprints.

As you're using a Windows machine to connect to your server, in that case all the Ssh Host Keys or fingerprints are stored in the following location in the registry: [HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHo stKeys]

Once you click on 'Yes' an entry of new Ssh Host Keys or fingerprint is created & stored in the above mentioned location every time you login for the first time.

By default, recent versions of the SSH servers only accept SSH v2 connections. The client will use version 2 if possible and will fall back to version 1. The client can also be forced to use one or the other by passing it the -1 or -2 for version 1 or version 2, respectively. The version 1 compatibility is maintained in the client for backwards compatibility with older versions.

Regarding the Man-in-the-Middle attack you mentioned, if the first connection and host key exchange between a client [you] and a particular host [your VPS] is compromised, the MITM attack fools both the client and server into thinking that they are communicating directly with one another when, in fact, an attacker is actually intercepting all traffic between the two. Secure Shell protects against MITM attacks through server host authentication, unless the host itself has been compromised.

In the end, I'd like to tell you that 'Nothing is 100% secure', & someone has rightly said that "You cannot keep things absolutely safe, the lesson to be learned here is everything can be hacked into; it's just a matter of time." The best way to combat this is with encryption. Encryption works when two people communicating have special keys, or passwords. Encrypted data transaction is "scrambled," and the only way for anyone else to read it is to have the "matching" key. RSA encryption being the best between them, or either way use PuTTYGen to generates an RSA public/private key pair.
Please refer this link for more details: cs.uwaterloo.ca/cscf/howto/ssh/public_key