Updated
Table of contents
Back when I was learning to code, one of the first things I did was to create a GitHub account and add a public key to connect via SSH. When I ran ssh-keygen, I thought that the output I should paste into GitHub was this peculiar-looking thing that showed up on my terminal:
+--[ED25519 256]--+
| o.. |
| o . |
| . . . |
| . o o. .|
| . S .= o.|
| o o= o . B|
| . o R .o.. .=*|
| =.+o+..o +..=o|
| .+B*=.. . ooo+|
+----[SHA256]-----+When I clicked save, the GitHub interface showed an error, since that is not the public key, but I was curious. Recently, while writing about SSH, I got curious and thought that this was my chance to explore what randomart is and why it exists.
Was it worth it? Not really, but it was fun. 😊
What is randomart?
Plainly, randomart is a way to inspect content visually. Yep, that’s it. Basically, if you have something that’s hard to differentiate side by side, like hex values or encrypted content, you would use randomart images to differentiate them with (ideally) one glance.
Now, keep in mind that what is called “randomart” is applied to SSH key fingerprints only, so my plain explanation is not exactly true, but I like to explain things like we are all five.
Say you have these two values,
20N5cT7sElnmVyqBCd3uMdY5f8bOuM7l and 2ONSc7TsElnVmyqBCd3uMdY5f8b0vNTI
They are quite similar to each other, but if we use randomart, the output looks like this instead,
20N5cT7sElnmVyqBCd3uMdY5f8bOuM7l becomes
+-----------------+
| Eo |
| .o. |
| oo. |
| +oo. |
| o.+S=o+*= |
| o oo+ *B.. |
| .. o+o=*=o+*|
| .oo +o*=*OX|
| .+**B==o=OE|
+---[TEXT 32]----+and
2ONSc7TsElnVmyqBCd3uMdY5f8b0vNTI becomes
+-----------------+
| .. |
| =Eoo. |
| Oo=.. |
| .o.o =o |
| .. oS.=o |
| oo.OO.=o |
| o=o^E*==. =. |
| **=*=O*O== |
| o*oOX%X^O. |
+---[TEXT 32]----+Which makes it much easier to catch that the two strings are, in fact, different.
We made an API where you can generate randomart from a string https://gen—randomart.diploi.me/
How randomart is generated
When you generate an SSH key pair with ssh-keygen, OpenSSH calculates a fingerprint for your new public key. The fingerprint is a hash (for example, SHA256) of the public key, usually shown as a string like:
SHA256:CmZUx6gCjQ7WdKC+...something-long...That value is then passed to an algorithm, which takes each value on the fingerprint and calculates a position and a character on a grid of 9x17 cells. The algorithm starts from the center of the grid.
+-----------------+
|-----------------|
|-----------------|
|-----------------|
|-----------------|
|--------+--------|
|-----------------|
|-----------------|
|-----------------|
|-----------------|
+-----------------+The algorithm used is called “Drunken Bishop”, although in the original commit where randomart was introduced by Alexander von Gernler, he described it as “a worm crawling” and leaving traces.
So, the Drunken Bishop is a chess Bishop piece, who is drunk 😅. As the story goes, the Bishop starts walking from the center of the grid, going in random diagonals, and as it moves, it leaves a trail of coins on each cell it walks.
At the end of the walk, the algorithm checks the amount of coins in each cell to assign a character to it. For cells with no coins, the algorithm assigns a blank value.
Now, this is an oversimplification, check the paper from Dirk Loss, Tobias Limmer, and Alexander Von Gernler about how the Drunken Bishop algorithm works in detail at https://www.dirk-loss.de/sshvis/drunken_bishop.pdf.
They did a deep analysis of the algorithm, and also explored how different the original fingerprint hash values are if a randomart image looks similar to another.
You can also check the blog post from Alexander Von Gernler and the original commit, where he introduces randomart to the OpenSSH standard, after being motivated by listening to a talk by Dam Kaminsky.
Closing thoughts
One thing to note is that you only see the randomart for a key when you create it, but you can revisit it later by adding the flag -lv to ssh-keygen. If you want to view the image for a specific public key, you can use the command ssh-keygen -lv -f <path-to-private-key>/<private-key-file>
Additionally, you can also show the randomart image when you are connecting via SSH to a server, by running the ssh command as ssh -o VisualHostKey=yes user@your-server.
That was fun, but maybe not the most important part thing to know about SSH, so if you are into the topic, definitely check our other posts going into what is SSH and how to create an SSH key-pair and connect to a server.
So that’s all from me now, I wish you a great day! 🙂↕️
References
- What is the randomart image for?
- What are SSH fingerprint randomarts and why should I care?
- Dirk Loss, Tobias Limmer, Alexander von Gernler paper reviewing the Drunken Bishop algorithm
- Blog post from Alexander von Gernler about his idea for randomart and why it was necessary
- What is SSH
- How to generate SSH keys and connect to a service