2 files changed, 40 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index 7279a819f..7f027d95f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,11 @@
   - dtucker@cvs.openbsd.org 2008/06/13 18:55:22
     [scp.c]
     Prevent -Wsign-compare warnings on LP64 systems.  bz #1192, ok deraadt@
+   - grunk@cvs.openbsd.org 2008/06/13 20:13:26
+     [ssh.1]
+     Explain the use of SSH fpr visualization using random art, and cite the
+     original scientific paper inspiring that technique.
+     Much help with English and nroff by jmc@, thanks.
 20080612
 - (dtucker) OpenBSD CVS Sync
@@ -4356,4 +4361,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@
-$Id: ChangeLog,v 1.5008 2008/06/13 23:02:25 dtucker Exp $
+$Id: ChangeLog,v 1.5009 2008/06/13 23:04:26 dtucker Exp $
diff --git a/ssh.1 b/ssh.1
index e191bf04e..e975dae01 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.273 2008/02/11 07:58:28 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.274 2008/06/13 20:13:26 grunk Exp $
-.Dd $Mdocdate: February 11 2008 $
+.Dd $Mdocdate: June 13 2008 
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -1027,9 +1027,31 @@ Fingerprints can be determined using
 .Pp
 .Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
 .Pp
-If the fingerprint is already known,
+If the fingerprint is already known, it can be matched
-it can be matched and verified,
+and the key can be accepted or rejected.
-and the key can be accepted.
+Because of the difficulty of comparing host keys
+just by looking at hex strings,
+there is also support to compare host keys visually,
+using
+.Em random art .
+By setting the
+.Cm CheckHostIP
+option to
+.Dq fingerprint ,
+a small ASCII graphic gets displayed on every login to a server, no matter
+if the session itself is interactive or not.
+By learning the pattern a known server produces, a user can easily
+find out that the host key has changed when a completely different pattern
+is displayed.
+Because these patterns are not unambiguous however, a pattern that looks
+similar to the pattern remembered only gives a good probability that the
+host key is the same, not guaranteed proof.
+.Pp
+To get a listing of the fingerprints along with their random art for
+all known hosts, the following command line can be used:
+.Pp
+.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
+.Pp
 If the fingerprint is unknown,
 an alternative method of verification is available:
 SSH fingerprints verified by DNS.
@@ -1433,6 +1455,13 @@ manual page for more information.
 .%T "The Secure Shell (SSH) Public Key File Format"
 .%D 2006
 .Re
+.Rs
+.%T "Hash Visualization: a New Technique to improve Real-World Security"
+.%A A. Perrig
+.%A D. Song
+.%D 1999
+.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
+.Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.

diff --git a/ChangeLog b/ChangeLog index 7279a819f..7f027d95f 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -18,6 +18,11 @@
18	- dtucker@cvs.openbsd.org 2008/06/13 18:55:22	18	- dtucker@cvs.openbsd.org 2008/06/13 18:55:22
19	[scp.c]	19	[scp.c]
20	Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@	20	Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@
		21	- grunk@cvs.openbsd.org 2008/06/13 20:13:26
		22	[ssh.1]
		23	Explain the use of SSH fpr visualization using random art, and cite the
		24	original scientific paper inspiring that technique.
		25	Much help with English and nroff by jmc@, thanks.
21		26
22	20080612	27	20080612
23	- (dtucker) OpenBSD CVS Sync	28	- (dtucker) OpenBSD CVS Sync
@@ -4356,4 +4361,4 @@
4356	OpenServer 6 and add osr5bigcrypt support so when someone migrates	4361	OpenServer 6 and add osr5bigcrypt support so when someone migrates
4357	passwords between UnixWare and OpenServer they will still work. OK dtucker@	4362	passwords between UnixWare and OpenServer they will still work. OK dtucker@
4358		4363
4359	$Id: ChangeLog,v 1.5008 2008/06/13 23:02:25 dtucker Exp $	4364	$Id: ChangeLog,v 1.5009 2008/06/13 23:04:26 dtucker Exp $


diff --git a/ssh.1 b/ssh.1 index e191bf04e..e975dae01 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.273 2008/02/11 07:58:28 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.274 2008/06/13 20:13:26 grunk Exp $
38	.Dd $Mdocdate: February 11 2008 $	38	.Dd $Mdocdate: June 13 2008
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -1027,9 +1027,31 @@ Fingerprints can be determined using
1027	.Pp	1027	.Pp
1028	.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key	1028	.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1029	.Pp	1029	.Pp
1030	If the fingerprint is already known,	1030	If the fingerprint is already known, it can be matched
1031	it can be matched and verified,	1031	and the key can be accepted or rejected.
1032	and the key can be accepted.	1032	Because of the difficulty of comparing host keys
		1033	just by looking at hex strings,
		1034	there is also support to compare host keys visually,
		1035	using
		1036	.Em random art .
		1037	By setting the
		1038	.Cm CheckHostIP
		1039	option to
		1040	.Dq fingerprint ,
		1041	a small ASCII graphic gets displayed on every login to a server, no matter
		1042	if the session itself is interactive or not.
		1043	By learning the pattern a known server produces, a user can easily
		1044	find out that the host key has changed when a completely different pattern
		1045	is displayed.
		1046	Because these patterns are not unambiguous however, a pattern that looks
		1047	similar to the pattern remembered only gives a good probability that the
		1048	host key is the same, not guaranteed proof.
		1049	.Pp
		1050	To get a listing of the fingerprints along with their random art for
		1051	all known hosts, the following command line can be used:
		1052	.Pp
		1053	.Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
		1054	.Pp
1033	If the fingerprint is unknown,	1055	If the fingerprint is unknown,
1034	an alternative method of verification is available:	1056	an alternative method of verification is available:
1035	SSH fingerprints verified by DNS.	1057	SSH fingerprints verified by DNS.
@@ -1433,6 +1455,13 @@ manual page for more information.
1433	.%T "The Secure Shell (SSH) Public Key File Format"	1455	.%T "The Secure Shell (SSH) Public Key File Format"
1434	.%D 2006	1456	.%D 2006
1435	.Re	1457	.Re
		1458	.Rs
		1459	.%T "Hash Visualization: a New Technique to improve Real-World Security"
		1460	.%A A. Perrig
		1461	.%A D. Song
		1462	.%D 1999
		1463	.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
		1464	.Re
1436	.Sh AUTHORS	1465	.Sh AUTHORS
1437	OpenSSH is a derivative of the original and free	1466	OpenSSH is a derivative of the original and free
1438	ssh 1.2.12 release by Tatu Ylonen.	1467	ssh 1.2.12 release by Tatu Ylonen.