Some API requests that involve copying files to or from a remote server require that you provide the SSH fingerprint for the remote server in the request body. The SSH fingerprint is derived from a host key on the remote server.

About this task

To connect via SSH, the NSX Manager and the remote server must have a host key type in common. If there are multiple host keys types in common, whichever one is preferred according to the HostKeyAlgorithm configuration on the NSX Manager is used.

Having the fingerprint for a remote server helps you confirm you are connecting to the correct server, protecting you from man-in-the-middle attacks. You can ask the administrator of the remote server if they can provide the SSH fingerprint of the server. Or you can connect to the remote server to find the fingerprint. Connecting to the server over console is more secure than over the network.

The following table lists what NSX Manager supports in order from more preferred to less preferred.

Table 1. NSX Manager Host Keys in Preferred Order

Host key types supported by NSX Manager

Default Location of the Key

ECDSA (256 bit)

/etc/ssh/ssh_host_ecdsa_key.pub

ED25519

/etc/ssh/ssh_host_ed25519_key.pub

Procedure

  1. Log in to the remote server as root.

    Logging in using a console is more secure than over the network.

  2. List the public key files in the /etc/ssh directory.
    $ ls -al /etc/ssh/*pub
    -rw-r--r-- 1 root root 601 Apr  8 18:10 ssh_host_dsa_key.pub
    -rw-r--r-- 1 root root  93 Apr  8 18:10 ssh_host_ed25519_key.pub
    -rw-r--r-- 1 root root 393 Apr  8 18:10 ssh_host_rsa_key.pub
    
  3. Compare the available keys to what NSX Manager supports.

    In this example, ED25519 is the only acceptable key.

  4. Get the fingerprint of the key.
    # awk '{print $2}' /etc/ssh/ssh_host_ed25519_key.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64 | sed 's/.//44g' | awk '{print "SHA256:"$1}'
    SHA256:KemgftCfsd/hn7EEflhJ4m1698rRhMmNN2IW8y9iq2A