458

When you generate a key, you get "randomart" from newer versions of OpenSSH. I am unable to find an explanation of why, and what I'm supposed to use it for.

Generating public/private rsa key pair.
The key fingerprint is:
05:1e:1e:c1:ac:b9:d1:1c:6a:60:ce:0f:77:6c:78:47 you@i
The key's randomart image is:
+--[ RSA 2048]----+
|       o=.       |
|    o  o++E      |
|   + . Ooo.      |
|    + O B..      |
|     = *S.       |
|      o          |
|                 |
|                 |
|                 |
+-----------------+

Generating public/private dsa key pair.
The key fingerprint is:
b6:dd:b7:1f:bc:25:31:d3:12:f4:92:1c:0b:93:5f:4b you@i
The key's randomart image is:
+--[ DSA 1024]----+
|            o.o  |
|            .= E.|
|             .B.o|
|              .= |
|        S     = .|
|       . o .  .= |
|        . . . oo.|
|             . o+|
|              .o.|
+-----------------+
dlamblin
  • 10,553
  • 8
  • 45
  • 53
  • 13
    Another question I would like to ask is; is it safe to share your randomart image with others? In other words, given a randomart image such as the above, is it possible to reverse-engineer this back to the key? – AndyJ0076 Mar 24 '19 at 03:36
  • 7
    You can find an in-depth analysis of the VisualHostKey randomart in the short paper [The Drunken Bishop](http://www.dirk-loss.de/sshvis/drunken_bishop.pdf). – loomi Sep 04 '12 at 11:35
  • 7
    @AndyJ0076 randomart is a visualisation of the PUBLIC key's fingerprint, so it is safe :-) – opyate Jul 03 '20 at 20:05
  • 3
    I was wondering what the key pair should be to see the Mona Lisa – Shadi Alnamrouti Dec 27 '20 at 07:27
  • 1
    @ShadiNamrouti Something to be avoided in the future where everyone uses images. Mona Lisa would be equivalent of 1234 and asdf. ;) – JoonasD6 Sep 04 '21 at 20:36
  • @ShadiNamrouti As per the The Drunken Bishop paper TLDR, creating a key pair that happen to have have a specific randomart is tough. – Tarik Apr 29 '22 at 14:25

4 Answers4

330

The randomart is meant to be an easier way for humans to validate keys.

Validation is normally done by a comparison of meaningless strings (i.e. the hexadecimal representation of the key fingerprint), which humans are pretty slow and inaccurate at comparing. Randomart replaces this with structured images that are faster and easier to compare.

This paper "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" explains some techniques and advantages.

mykhal
  • 312
  • 1
  • 13
mark
  • 4,479
  • 1
  • 21
  • 9
  • 100
    If you could just explain why humans validate keys, that could help, because frankly I tend to just put my public key in my authorized_keys file and be done with it. – dlamblin Sep 06 '09 at 05:10
  • 57
    @dlamblin: You generally would not verify your own keys with this. It would, however, be useful for verifying the host key of a remote machine. One idea is that if you login to a particular machine from various locations (or you do not save its key into your known_hosts file), you will be able to recognize the “art” of the host's key. If that art suddenly changed you should be wary of typing in your password because it might mean that a man-in-the-middle attack is in progress on your connection (or it might mean that the host has just changed its keys for some other reason). – Chris Johnsen Oct 27 '09 at 05:43
  • 51
    Uhm, When could I see the hosts art? (I think I never did.) I only saw such an image after generating my key pair. And to what would I have to compare it to recognize 'sudden' change. – DerMike Feb 09 '11 at 10:15
  • 15
    I'd wager the randomart adheres to a similar principle as hashes for integrity checks, namely: a small difference in the input generates a wildly different output. That would mean you would just have to memorize the rough shape of the expected randomart to be able to notice something is amiss. Of course this doesn't work in practice when SSH et al don't show you the randomart of the host you're connecting to (they should do so even when the host is known). – Alan Plum Feb 25 '11 at 16:22
  • 2
    I imagine these are most useful when public keys are being exchanged in-person for an integrity check after the copy is complete. – jordanpg Oct 02 '14 at 23:53
  • @DerMike, if you haven't seen it already, another answer answers your question. – chreekat Nov 24 '15 at 19:51
  • 7
    9 years later (I'm old) I have too many different hosts I connect to. Recognizing a change is unlikely. – dlamblin Jan 22 '18 at 07:12
  • As a PhD student studying computer security, that's something of dream research that I want to do in the future. It's so simple but its purpose is very practical. – Gwangmu Lee Apr 11 '21 at 04:59
  • 2
    I am all in for loose definitions but this is not "art" by any stretch ! – Fakeer Apr 24 '22 at 01:06
  • Suppose randomart got updated to generated a QR code, using ASCII block drawing characters! – Mark Stewart Jul 27 '23 at 19:19
260

Add 

-o VisualHostKey=yes

to your command line, or put 

VisualHostKey=yes

in your ~/.ssh/config.

You'll see the randomart of the box you are logging onto. If you log on one day and the random art is different (your brain should go Hey! I don't recognise that!), then maybe someone is hacking, or something.

The idea is that you don't consciously need to do it. One of the keys for one of our machines kinda looks like a butterfly. Another one kinda looks like a dick (yes, our brains are primitive). If you log on every day, you get accustomed to the images without even trying.

slhck
  • 223,558
  • 70
  • 607
  • 592
Paul Murray
  • 2,601
  • 1
  • 13
  • 2
  • 10
    Not great. If you've logged in before, much better for the computer to do the recognition for you using a stored fingerprint. The feature's only meant to be used for logging into new machines. – Nicholas Wilson May 21 '12 at 13:55
  • 72
    Way late to this answer, but it's worth pointing out that this would be immensely useful if you were logging in from a different machine that didn't have all of your known_hosts. In that case, the computer wouldn't be able to verify that it's known, but the user should be able to see "That looks way different than normal!" and abort. – Xkeeper Oct 03 '12 at 19:56
  • 11
    Letting your computer do the recognition is vulnerable to your own computer's known hosts being hacked. Much like you shouldn't let your computer enter passwords for you, you would be better off validating the host's key yourself. – Marko Topolnik May 25 '15 at 17:54
  • 6
    @MarkoTopolnik: if you can't trust your own local machine that you're connecting from, you shouldn't be using that machine to do anything, much less using SSH. For all you know, the ssh executable itself might've been replaced with a sinister version. – Lie Ryan Dec 11 '19 at 03:58
  • @LieRyan good point, how do we protect against that? Since I'm unable to decipher the bits manually we'd need some tools that fail "when tampered with". Do you have insight how we could spot this? To spot when someone is using hacked firmware/hardware from government involvement? – paul23 Jun 19 '20 at 12:34
  • @paul23: You can't. Read the [Ten Immutable Laws of Security](https://docs.microsoft.com/en-au/archive/blogs/rhalbheer/ten-immutable-laws-of-security-version-2-0) #2 and #3. – Lie Ryan Jun 22 '20 at 03:46
  • @LieRyan well that's not an answer: as that is the only reason to have security: to protect yourself from chinese government influence into the companies that produce the items. - There must be a way to deciphe that someone is tampering with your hardware and not your neighbours, just like we can verify public/private keys we need to find a way to verify hardware workings. – paul23 Jun 22 '20 at 08:59
  • This discussion can be summarised by remembering the old adage: If someone can gain physical access to a machine, it's in principle already compromised. – aggregate1166877 Apr 13 '23 at 21:13
  • Very similar to the images which some websites display to prevent MITM attacks. – RonJohn Jun 01 '23 at 01:12
46

Official announcement: OpenSSH 5.1 released

Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) and ssh-keygen(1). Visual fingerprinnt display is controlled by a new ssh_config(5) option "VisualHostKey". The intent is to render SSH host keys in a visual form that is amenable to easy recall and rejection of changed host keys. This technique inspired by the graphical hash visualisation schemes known as "random art[*]", and by Dan Kaminsky's musings at 23C3 in Berlin.

Fingerprint visualisation in is currently disabled by default, as the algorithm used to generate the random art is still subject to change.

Nick
  • 1,114
  • 10
  • 7
  • 16
    That last sentence is, indeed, worth knowing. [OpenBSD Journal @ Undeadly.org info about OpenSSH 6.8 release](http://undeadly.org/cgi?action=article&sid=20150320130957&mode=expanded) states, "Please note that visual host keys will also be different." Newer software shows different images than the images shown by the older software. – TOOGAM Dec 28 '15 at 07:29
33

The Randomart displayed after the ssh-keygen generation is a graphic representation of the key you have just generated. Then:

  • the Randomart is not really useful for the user who generated the ssh-key

  • the Randomart can be very useful for a user using a connection via SSH to connect often to the same server: if he added the "-o VisualHostKey=yes " option to his SSH command:

ssh user@domainname.com -o VisualHostKey=yes

the Randomart corresponding to the public key of the server will be displayed.

To see an example, you can try:

ssh git@github.com -o VisualHostKey=yes

In the case where the user often connects to the same server, then he can quickly and easily check if he recognizes the Randomart corresponding to the public-key of this server or not. Which is easier and faster than checking the string of characters of the public-key itself !

anahata
  • 105
  • 5
tmangin
  • 431
  • 4
  • 4
  • 1
    You can also add it in your ssh/config file `VisualHostKey=yes` - this is where I found that information https://www.safematix.com/system/linux/ssh-visualhostkey/ – nycynik Mar 04 '20 at 17:29