- grunk@cvs.openbsd.org 2008/06/13 20:13:26

     [ssh.1]
     Explain the use of SSH fpr visualization using random art, and cite the
     original scientific paper inspiring that technique.
     Much help with English and nroff by jmc@, thanks.

2 files changed, 40 insertions, 6 deletions

diff --git a/ChangeLog b/ChangeLog
index 7279a819f..7f027d95f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,11 @@
    - dtucker@cvs.openbsd.org 2008/06/13 18:55:22
      [scp.c]
      Prevent -Wsign-compare warnings on LP64 systems.  bz #1192, ok deraadt@
+   - grunk@cvs.openbsd.org 2008/06/13 20:13:26
+     [ssh.1]
+     Explain the use of SSH fpr visualization using random art, and cite the
+     original scientific paper inspiring that technique.
+     Much help with English and nroff by jmc@, thanks.
 
 20080612
  - (dtucker) OpenBSD CVS Sync
@@ -4356,4 +4361,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.5008 2008/06/13 23:02:25 dtucker Exp $
+$Id: ChangeLog,v 1.5009 2008/06/13 23:04:26 dtucker Exp $
diff --git a/ssh.1 b/ssh.1
index e191bf04e..e975dae01 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.273 2008/02/11 07:58:28 jmc Exp $
-.Dd $Mdocdate: February 11 2008 $
+.\" $OpenBSD: ssh.1,v 1.274 2008/06/13 20:13:26 grunk Exp $
+.Dd $Mdocdate: June 13 2008 
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -1027,9 +1027,31 @@ Fingerprints can be determined using
 .Pp
 .Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
 .Pp
-If the fingerprint is already known,
-it can be matched and verified,
-and the key can be accepted.
+If the fingerprint is already known, it can be matched
+and the key can be accepted or rejected.
+Because of the difficulty of comparing host keys
+just by looking at hex strings,
+there is also support to compare host keys visually,
+using
+.Em random art .
+By setting the
+.Cm CheckHostIP
+option to
+.Dq fingerprint ,
+a small ASCII graphic gets displayed on every login to a server, no matter
+if the session itself is interactive or not.
+By learning the pattern a known server produces, a user can easily
+find out that the host key has changed when a completely different pattern
+is displayed.
+Because these patterns are not unambiguous however, a pattern that looks
+similar to the pattern remembered only gives a good probability that the
+host key is the same, not guaranteed proof.
+.Pp
+To get a listing of the fingerprints along with their random art for
+all known hosts, the following command line can be used:
+.Pp
+.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
+.Pp
 If the fingerprint is unknown,
 an alternative method of verification is available:
 SSH fingerprints verified by DNS.
@@ -1433,6 +1455,13 @@ manual page for more information.
 .%T "The Secure Shell (SSH) Public Key File Format"
 .%D 2006
 .Re
+.Rs
+.%T "Hash Visualization: a New Technique to improve Real-World Security"
+.%A A. Perrig
+.%A D. Song
+.%D 1999
+.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
+.Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.