This topic describes how to configure SSH host verification when authenticating to UNIX environments, which lets the Delphix server ensure it connects to the intended environment hosts. This method uses the Delphix CLI to set the SSH key or fingerprint of each host. Currently, it is only possible to configure SSH host verification via the CLI or the Web Service API.

When an SSH key or fingerprint is specified for an environment host, the Delphix server will use it when connecting to that host to verify that host. If the key or fingerprint does not match the information presented by that host, the Delphix server will close that connection and report the problem to the user.

The key types supported by the Delphix server are RSA (ssh-rsa), DSA (ssh-dsa), ECDSA (ecdsa-sha2-nistp256) and ED25519 (ssh-ed25519). The fingerprint types supported are SHA256 and SHA512; the MD5 type is considered insecure and, therefore, is not supported.


  • To obtain the SSH public key or fingerprint of a host remotely from another machine, you must have the ssh-keyscan and ssh-keygen utilities.
  • To obtain the SSH public key or fingerprint directly from a host, you must be able to log into that host.

Obtaining an SSH key or fingerprint

  1. Remotely: List the SSH public keys of the host using the standard utility ssh-keyscan and choose one of them. For example:

    $ ssh-keyscan
    # SSH-2.0-OpenSSH_7.4 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBsOAAokSRO67jI28syRmX0wY/fKIboLLu/ofk6BzYLKtkMaK1QC78/6QlelIJUP5HdK8E7Um/iM1JMxry4h9Rl13onYOuJVZkDB9wnJiztSu/Wl9Eqbt59TU1vGmp/4ulWS3PISl7bxs+l43HzsrjM4dTs2efQ7sLWoW86CDlL7Je4va65/aopvifxKZeZkT0srB3L8VzHKw9+NJOumy1CI3DIBiICURJd4WZ10IH5TFUDRaUFAc/trzW1gvJY/Whp892tPHekyP32hOZNIc7oDPx2boZauJVR6/BHmKpmLlhkPpEqfZP8JW+JNsNnLr9BEmwJXaEpwnua1BUii8F

    where the key is the Base64-code string to the right of the key type. In this example, the RSA SSH public key is the string starting in "AAAAB3Nza" and ending in "a1BUii8F".

  2. Alternatively, from the host: Log into the host and print the file contents of your public key of choice. For example:

    $ cat /etc/ssh/
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBsOAAokSRO67jI28syRmX0wY/fKIboLLu/ofk6BzYLKtkMaK1QC78/6QlelIJUP5HdK8E7Um/iM1JMxry4h9Rl13onYOuJVZkDB9wnJiztSu/Wl9Eqbt59TU1vGmp/4ulWS3PISl7bxs+l43HzsrjM4dTs2efQ7sLWoW86CDlL7Je4va65/aopvifxKZeZkT0srB3L8VzHKw9+NJOumy1CI3DIBiICURJd4WZ10IH5TFUDRaUFAc/trzW1gvJY/Whp892tPHekyP32hOZNIc7oDPx2boZauJVR6/BHmKpmLlhkPpEqfZP8JW+JNsNnLr9BEmwJXaEpwnua1BUii8F
  3. If a fingerprint is preferred, use ssh-keygen in conjunction with the above commands. For example, remotely:

    $ ssh-keyscan | ssh-keygen -E sha256 -lf -
    2048 SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI (RSA)

    where the fingerprint is "SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI" (the string between the key size and the host name).
    Alternatively, from the host:

    $ cat /etc/ssh/ | ssh-keygen -E sha256 -lf -
    2048 SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI (RSA)

Configuring SSH host verification during environment creation

The default SSH verification strategy is SshAcceptAlways, which always trusts the key or fingerprint presented by a remote host. The procedure to change this strategy to perform fingerprint-based host verification for single-host Unix environments is:

  1. Set the new strategy to SshVerifyFingerprint:

    delphix environment create *> edit
    delphix environment create *> set type=SshVerifyFingerprint
  2. Set the key type and fingerprint type. For example:

    delphix environment create *> set keyType=RSA
    delphix environment create *> set fingerprintType=SHA256
  3. Set the fingerprint. For example:

    delphix environment create *> set fingerprint=SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI
  4. Alternatively, you can specify the key itself using the SshVerifyRawKey strategy. For example:

    delphix environment create *> set type=SshVerifyRawKey
    delphix environment create *> set keyType=RSA
    delphix environment create *> set rawKey=AAAAB3NzaC1yc2EAAAADAQABAAABAQDBsOAAokSRO67jI28syRmX0wY/fKIboLLu/ofk6BzYLKtkMaK1QC78/6QlelIJUP5HdK8E7Um/iM1JMxry4h9Rl13onYOuJVZkDB9wnJiztSu/Wl9Eqbt59TU1vGmp/4ulWS3PISl7bxs+l43HzsrjM4dTs2efQ7sLWoW86CDlL7Je4va65/aopvifxKZeZkT0srB3L8VzHKw9+NJOumy1CI3DIBiICURJd4WZ10IH5TFUDRaUFAc/trzW1gvJY/Whp892tPHekyP32hOZNIc7oDPx2boZauJVR6/BHmKpmLlhkPpEqfZP8JW+JNsNnLr9BEmwJXaEpwnua1BUii8F
  5. When you are done specifying all other environment creation parameters, create the environment:

    delphix environment create *> commit
  6. If you are creating a Unix cluster, the procedure to start editing the SSH verification settings for the first node in that cluster is similar to the single-host case. For example:

    delphix> environment create
    delphix environment create *> set type=OracleClusterCreateParameters
    delphix environment create *> edit nodes
    delphix environment create nodes *> add
    delphix environment create nodes 0 *> edit
    delphix environment create nodes 0 *> edit
    # configure SSH verification settings

Note that only one node (host) can be specified and configured when creating a Unix cluster environment. The SSH verification settings for the remaining hosts can only be specified afterward by editing them via "host select <hostname> update", once the corresponding nodes have been discovered or added. See the next section.

Configuring SSH host verification for existing hosts

For any Unix environment host, whether it is single or part of a cluster, you can set up or change its configuration for SSH verification after the environment has been added by editing the host. For example:

delphix> host select update sshVerificationStrategy
delphix host '' update sshVerificationStrategy *> edit sshVerificationStrategy
# configure SSH verification settings

Testing SSH host verification

It is possible to configure an SSH key or fingerprint when performing a connectivity test to a Unix host. This can be done without even creating an environment for that host. For example:

delphix> connectivity ssh
# configure address and credentials
delphix connectivity ssh *> edit sshVerificationStrategy
# configure SSH verification settings

SSH host verification errors

When the Delphix server initiates an SSH connection to a host, if SSH host verification is configured (i.e. the verification strategy is not the default SshAcceptAlways), the server will first check the key presented by the host. Only if this check passes, the server will attempt to authenticate. Therefore, a host key verification failure will be reported as "Unrecognized key or fingerprint" to the user before any authentication failure. For example:

delphix connectivity ssh *> set credentials.password=<BAD PASSWORD>
delphix connectivity ssh *> set sshVerificationStrategy.rawKey=<BAD KEY>
delphix connectivity ssh *> commit
   Error: Unrecognized key or fingerprint returned by host "".
  Action: Contact your administrator as this could be a man-in-the-middle attack. Otherwise, correct the host's ssh key/fingerprint configuration.
delphix connectivity ssh *> set sshVerificationStrategy.rawKey=<GOOD KEY>
delphix connectivity ssh *> commit
   Error: Unable to authenticate to host "" using username "myusername".
  Action: Check the username and password and try again.

Related Links