Some API requests that involve copying files to or from a remote server require that you provide the SSH fingerprint for the remote server in the request body. The SSH fingerprint is derived from a host key on the remote server.

About this task

To connect via SSH, the NSX Manager and the remote server must have a host key type in common. If there are multiple host keys types in common, whichever one is preferred according to the HostKeyAlgorithm configuration on the NSX Manager is used.

Having the fingerprint for a remote server helps you confirm you are connecting to the correct server, protecting you from man-in-the-middle attacks. You can ask the administrator of the remote server if they can provide the SSH fingerprint of the server. Or you can connect to the remote server to find the fingerprint. Connecting to the server over console is more secure than over the network.

The NSX Manager appliance is based on Ubuntu 14.04 and uses the default HostKeyAlgorithm order. This table lists the keys that are present on the NSX Manager by default, in order from most preferred to least preferred.

Table 1. NSX Manager Host Keys in Preferred Order

Host key types present on NSX Manager

Default Location for that Host Key Type

ECDSA (256 bit)

/etc/ssh/ssh_host_ecdsa_key.pub

ED25519

/etc/ssh/ssh_host_ed25519_key.pub

RSA

/etc/ssh/ssh_host_rsa_key.pub

DSA

/etc/ssh/ssh_host_dsa_key.pub

Procedure

  1. Log in to the CLI of the remote server.

    Logging in using a console is more secure than over the network.

  2. List the public key files in the /etc/ssh directory.
    $ ls -al /etc/ssh/*pub
    -rw-r--r-- 1 root root 601 Apr  8 18:10 ssh_host_dsa_key.pub
    -rw-r--r-- 1 root root  93 Apr  8 18:10 ssh_host_ed25519_key.pub
    -rw-r--r-- 1 root root 393 Apr  8 18:10 ssh_host_rsa_key.pub
    
  3. Compare the available keys to the HostKeyAlgorithm order.

    In this example there are three SSH keys, DSA and RSA, and ED25519. ED25519 is highest in the preferred order, so that is the key that the NSX Manager will use when connecting to the remote server.

  4. Get the fingerprint of the preferred key.
    $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
    256 d0:21:3e:ec:52:ff:19:a9:e7:71:b5:7f:63:23:57:f7  root@ubuntu (ED25519)
    

    The fingerprint of the key is d0:21:3e:ec:52:ff:19:a9:e7:71:b5:7f:63:23:57:f7.

Results

Note:

You must remove the colons from the SSH fingerprint in backup and restore API requests.