linux - ssh 登录服务器的指纹如何获取、验证，以及除了中间人攻击外什么操作会改变服务器指纹？-PHP中文网问答

事情由来：

登录自己的vps时提示REMOTE HOST IDENTIFICATION HAS CHANGED!。
显示如下

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:sYNNR1L6T5cSEG4BndqtCDhJEI0eB9LamBTkuIue3+0.
Please contact your system administrator.
Add correct host key in /Users/xx/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/xx/.ssh/known_hosts:40
ECDSA host key for [xx.com] has changed and you have requested strict checking.
Host key verification failed.

提示有被中间人攻击的风险，那么除了被中间人攻击的情况下，还有那些变动会造成这样的变动？(ssh连接的加密方式变化了，比如我发现 known_hosts 文件中有的主机信息是 ssh-rsa 有的是 ecdsa-sha2-nistp256，那么软件升级会改变连接加密方式吗？我自己没有动过)

还有其中提到了指纹信息

The fingerprint for the ECDSA key sent by the remote host is
SHA256:sYNNR1L6T5cSEG4BndqtCDhJEI0eB9LamBTkuIue3+0.

这种指纹信息在第一次ssh登录服务器的时候也会提示

The authenticity of host [xx.com] can't be established.
ECDSA key fingerprint is SHA256:sYNNR1L6T5cSEG4BndqtCDhJEI0eB9LamBTkuIue3+0.
Are you sure you want to continue connecting (yes/no)?

那么这个指纹信息是要验证的，怎么验证？
（我猜有很大比例的人应该都会像安装软件下一步一样，并不清楚怎么对比，就直接信任了）

append:查找了一些资料，How to get ssh server fingerprint information，都提到了类似的内容，但是和上面显示的 fingerprint 不一样呀。

> ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
256 0d:df:2b:e4:ee:79:f2:98:ab:38:93:f3:44:1d:c5:4d  root@doceanm-xxx.localdomain (ECDSA)

那么他们之间的关系是什么？

还有生成私匙公钥的过程中也会提到一个指纹

> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/xavier/.ssh/id_rsa): testxxx
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in testxxx.
Your public key has been saved in testxxx.pub.
The key fingerprint is:
SHA256:Bw1NuIXaa7h6tzCWDDOq0/esnqQiNJruFeNThfYffHY xavier@local
The key's randomart image is:
+---[RSA 2048]----+
|        .=.      |
|      . ooo      |
|     o +.o.      |
|    . + +.       |
|   o+. oS+.o E   |
| o..+=..+.+ .    |
|ooo+. *o .       |
|*.ooo+oo.        |
|==.o==o...       |
+----[SHA256]-----+