PHPStorm SSH server fingerprint not matching

https://stackoverflow.com/questions/14233866

14-01-2022
|

Question

I'm using subversion from within PHPStorm, and I'm getting the following error when I try to connect to the SVN server...

The authenticity of host svn+ssh://svn.example.com:22 can't be established. ssh-rsa key fingerprint is

xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

Are you sure you want to continue connecting?

The problem is that the fingerprint doesn't match the fingerprint for the server. If I remove the server from my ~/.ssh/known_hosts file and then ssh to it displays an entirely different fingerprint - which is the correct one for that server.

I have just moved the SVN repository to a new server, and changed DNS to point to the new server, so I was expecting PHPStorm to complain about a mismatching fingerprint, but I'm surprised that it's not showing the correct fingerprint for the new server. The fingerprint doesn't match the old server either, or any other server PHPStorm has ever connected to. I'm wary of letting it connect until I understand what's going on.

PHPStorm is correctly connecting to the new server, so I don't see how it can be getting the wrong fingerprint, and it seems unlikely that I'm seeing an actual man in the middle attack since whenever I ssh from the command line it sees the correct fingerprint.

I'm not sure where PHPStorm caches server fingerprints. I've tried invalidating caches to see if that would make it forget any outdated fingerprint data, but that seems unlikely given the reported fingerprint doesn't match the old or new servers.

I'm coming to the conclusion this is a bug in PHPStorm, but any other thoughts would be very welcome.

EDIT:

PHPStorm is showing a 20 byte fingerprint. Running this on the server (debian)

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

displays a 16 byte fingerprint, so they couldn't possibly match. Is there a way of getting a 20 byte fingerprint from the server's public key?

Solution

So it turns out that the 160bit (20 byte) hash PHPStorm displays is a SHA1 hash, whereas ssh-keygen is showing a 128bit (16 byte) MD5 hash.

Neither are very explicit about that, so I've just thrown together a quick script to show various hashes of a public key (assuming your public key is in /etc/ssh/ssh_host_rsa_key.pub

#!/usr/bin/python

import binascii
import hashlib

keyfile = "/etc/ssh/ssh_host_rsa_key.pub"

def showHash(type, hash, data):
    hash.update(data)
    hex=hash.hexdigest()
    hexbytes=[hex[i:i+2] for i in range(0, len(hex), 2)]
    hexstring=":".join(hexbytes)
    print type+" "+hexstring

f = open(keyfile)
words = f.readline().split()
data=words[1]
bindata=binascii.a2b_base64(data)

showHash("md5", hashlib.md5(), bindata)
showHash("sha1", hashlib.sha1(), bindata)
showHash("sha256", hashlib.sha256(), bindata)

Turns out that PHPStorm is using the SHA1 hash, and is quite correct. But it would be helpful if you could select which hash function to use in either ssh-keygen (which I believe you can in sh-keygen-g3) or in PHPStorm.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow