[HN Gopher] What is the randomart image for?
___________________________________________________________________
What is the randomart image for?
Author : susam
Score : 139 points
Date : 2023-02-21 08:39 UTC (14 hours ago)
(HTM) web link (bytes.zone)
(TXT) w3m dump (bytes.zone)
| saul_goodman wrote:
| In my head I've always read that as rando-mart. I have a mental
| image of a small high-density city street shop with anything you
| could possibly want to buy including small ascii art images of my
| ssh keys.
| vmoore wrote:
| _Needs this for SHA256 sums_
|
| I often compare SHA256 sums of software and have to trust my eyes
| that the two hashes are the same. Most of the time I just look at
| the first 5 characters, alongside the last five characters, but I
| don't look at the middle, and I really should.
|
| Some hashes could deliberately look the same but have 2-3
| characters different, and I wouldn't know, unless I look at each
| character individually, but who does that?
| coldpie wrote:
| It is a bit of effort, but you can make the computer do the
| verification for you by writing (or generating) a simple text
| file. Using Perl shasum because I'm on a mac at the moment, but
| Linux sha256sum works the same: $ echo hi >
| some_file $ shasum -a 256 some_file > check $
| cat check 98ea6e4f216f2fb4b69fff9b3a44842c38686ca685f3f
| 55dc48c5d3fb1107be4 some_file $ shasum -a 256 -c check
| some_file: OK $ echo $? 0 $ echo bye >
| some_file $ shasum -a 256 -c check some_file:
| FAILED shasum: WARNING: 1 computed checksum did NOT
| match $ echo $? 1
|
| Edit: Oh cool, at least perl's shasum allows reading from stdin
| so you can even skip the file if you're just copying some check
| file off the software's website: $ shasum -a
| 256 -c - <<EOF > 98ea6e4f216f2fb4b69fff9b3a44842c38686c
| a685f3f55dc48c5d3fb1107be4 some_file > EOF
| some_file: OK
| johnmaguire wrote:
| Something like this also works: hash="4e575
| a5ee4af2925477c9eea887ff560d23a586dbaf90b616d26c47ec429ca13"
| [[ "$hash" == "$(shasum -a 256 file | awk '{print $1 }')" ]]
| && echo "Valid" || echo "Invalid checksum"
|
| I use that little if-statement in some build systems.
| coldpie wrote:
| See my edit, apparently shasum's -c can read from stdin so
| you could simplify your scriptlet even further :)
| jpdaigle wrote:
| Any hash calculations using a "read from stdin or a pipe"
| strategy, in my experience, is fraught with issues caused by
| an extra newline at the end of the input possibly being there
| today, and not in later checks, or vice-versa.
|
| When people claim they wrote a prediction at some later date,
| they always have to document the EXACT command used to avoid
| this, e.g. `echo "smart prediction" | md5sum`
| r1ch wrote:
| Malware that replaces crypto addresses on webpages is already
| aware of this - they try to generate addresses with similar
| starting and ending characters since most people aren't
| checking the whole thing.
| rzzzt wrote:
| There is one method that might help, the "astronomer's blink":
| open two editor tabs, paste the expected and the actual hash in
| either tab, then quickly switch between tabs using the keyboard
| (eg. Ctrl+PgUp/Dn if your editor supports this). Can also be
| used for comparing ordered JSON output when in a hurry.
|
| (The term comes from
| https://en.wikipedia.org/wiki/Blink_comparator and someone
| wrote about this in a tech context as well, but I forgot where
| I read it. I'm seeing one search hit with the exact expression,
| so it could have been something close as well.)
| remram wrote:
| It is weird that this doesn't exist. The algorithm is pretty
| simple and there are libraries for it, but I couldn't find a
| generic command-line tool that shows one after hashing any
| file.
|
| This might be a cool contribution to coreutils (which contains
| the `sha256sum`, `sha1sum`, `md5sum`, ... programs)
| refuse wrote:
| I'm asking this in the wrong place, but does anyone know why
| coreutils doesn't include sha3 or derivatives?
| Joker_vD wrote:
| Reminds me of a slide from one of Peter Gutmann's lectures on PKI
| and related stuff: a mock up of a title page for a proposed
| conference paper, titled "Do SSH Fingerprints Increase
| Security?", with abstract consisting of just "No."
|
| Yes, it follows other slides that describe precisely the attack
| in TFA, only for traditional SSH fingerprints, and the real world
| surveys on the "how many users have called or emailed to verify
| the SSH key fingerprint whenever the key changed?" question
| (answer: literally zero), so it seems sadly accurate.
| syntheticcorp wrote:
| Found it, pg 47
| https://www.cs.auckland.ac.nz/~pgut001/pubs/defending.pdf
| jrm4 wrote:
| I always understood the option, but seems like a little color
| would go a LONG way in making them much more usable? I never got
| around to paying attention to them and I think that's why.
| 2b3a51 wrote:
| Slackware displays the randomart images for some kind of public
| key when you boot. I always wondered what these were, so thanks
| for posting.
| kaoD wrote:
| > and see if I started to be able to recognize the randomart
| images in the way the manual implies I'd be able to, and it turns
| out it worked!
|
| How computationally expensive is it to generate a key with
| randomart that kinda-resembles a known randomart?
|
| I've always ignored randomart since I always assumed it's easy to
| get a close-enough "collision".
|
| EDIT: algorithm explained here
| https://pthree.org/2013/05/30/openssh-keys-and-the-drunken-b...
| eat_veggies wrote:
| Seems to be pretty doable ("collisions" in the last section):
| https://blog.benjojo.co.uk/post/ssh-randomart-how-does-it-wo...
| Drakim wrote:
| The same question goes for how computationally expensive it is
| to generate a key that kinda-resembles a known key? If you are
| just eyeballing the key "yeah that looks like Github's key"
| when the terminal ask you, you might fall for a fake one that
| merely begins with the same characters.
|
| The neat trick is that it's others of magnitude harder to find
| a key that kinda-resembles a known key _and_ kinda-resmbles it
| 's randomart, so if both are presented at the same time, you'd
| be safer.
| comefho wrote:
| What's the point when the server, if it's one you're logging into
| regularly (or even just more than once), will already be in your
| known_hosts file? Let the computer do the checking for you.
| Eduard wrote:
| Showing the random art can help to notice if you connected to
| the wrong server by accident, e.g. Incorrectly connecting to
| staging.example.com when you actually wanted to connect to
| live.example.com
| coldpie wrote:
| Good question. Perhaps it's useful if you're logging in from
| many machines/users without populated known_hosts? So if you
| spin up a new machine and push to Github, you can recognize it
| visually by its randart which you saw many times before on
| other machines.
| csears wrote:
| Is it safe to publicly post the randomart visualization of keys
| like this?
| benjojo12 wrote:
| Yes, Not only is it a visualisation of a SHA256 hash of the
| public key, but it's hard to turn the visualisation back into a
| SHA256 hash itself.
| demodifier wrote:
| Good question. I would assume that with the visualization being
| defined by the public-key of the server, this cannot be use to
| reverse-engineer the private key. Also, the linked paper (I
| just read the summary) does try to attempt this and partially
| succeeds and talks more about the implication.
| coldpie wrote:
| I think you should treat it as posting the key itself. In other
| words, it's probably possible to transform from the randart
| back to the key (else it wouldn't be unique per key, right?).
| So for a public key that is intended to be public, yes, it
| should be fine. For keys which you do not want public, it's
| probably not a good idea to post it publicly.
| duskwuff wrote:
| It's not even a representation of the public key itself; it's
| the SHA256 fingerprint of the key. There's no practical way
| to transform that back into the key -- and, in any case, the
| server will send that key to any client that connects, so
| it's not like recovering it from a screenshot accomplishes
| anything.
| lagniappe wrote:
| I just want a random art that has shallow minerals, low savagery,
| and a temperate climate.
| folli wrote:
| Tangentially related: does any one know any nice libraries/tools
| to generate images (PNGs or whatever, doesn't need to be terminal
| compatible, colors even preferred) from hashes?
| 3-cheese-sundae wrote:
| I know of robohash: https://robohash.org
| isoprophlex wrote:
| You're looking for an Identicon, probably
|
| https://en.m.wikipedia.org/wiki/Identicon
|
| See some github repos:
|
| https://github.com/topics/identicon-generator
| folli wrote:
| Right on, that's very close to what I'm looking for! Thanks!
| jhbadger wrote:
| Maybe they could use something like Chernoff faces (a method in
| which data is converted into images of a human face on the
| grounds that people are better at distinguishing faces than other
| images).
|
| https://en.wikipedia.org/wiki/Chernoff_face
| dark-star wrote:
| How much of a face would you recognize if it is rendered with
| ASCII on a console though? Which is probably the default use-
| case for SSH for 99% of people.
| Darkphibre wrote:
| Heh... as someone with prosopagnosia, this wouldn't help too
| much. But I agree it'd help most people!!
| RamRodification wrote:
| > _All in all, I think I 'd recommend doing this. Even if the
| keys never change, it's pleasing to see the art show up in your
| terminal._
|
| If someone uses "the keys never change" as an argument against
| this, I think they have completely missed the point. (Not saying
| OP has).
| cmeacham98 wrote:
| The real argument is that if the keys change, you'll know about
| it, because OpenSSH will yell very loudly about it.
|
| The random art is intended for _first time_ connections, where
| OpenSSH has to trust your judgement of the key's legitimacy
| because it has never connected to that host before.
|
| It's not like it will hurt anything, but turning it on for
| every connection doesn't make a security difference.
| xp84 wrote:
| yeah, i guess syncing around your known_hosts file to
| everyplace you originate an ssh connection from, would make
| more of a difference. So that way you minimize the making of
| first-time connections as much as possible.
| graderjs wrote:
| I loved this!
|
| Thank you for this:
|
| _and it turns out it worked! For example, I 've started seeing
| the GitHub fingerprint (above) as something like the Statue of
| Liberty if it were a cat (don't ask why; that's just how my brain
| sees it)_
|
| Lol I'm switching this thing on!
___________________________________________________________________
(page generated 2023-02-21 23:01 UTC)