What is a SSH key fingerprint and how is it generated?
I always find that I get this message when I ssh into a new machine:
12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53
What does it stand for? Will every machine have the same fingerprint every time?
How are these fingerprints generated? What parameters do they depend on?
ssh
edited Mar 18 '14 at 12:04
Der Hochstapler
67.6k49230284
asked May 8 '12 at 14:22
Kit HoKit Ho
1,44732241
add a comment |
I always find that I get this message when I ssh into a new machine:
12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53
What does it stand for? Will every machine have the same fingerprint every time?
How are these fingerprints generated? What parameters do they depend on?
ssh
edited Mar 18 '14 at 12:04
Der Hochstapler
67.6k49230284
asked May 8 '12 at 14:22
Kit HoKit Ho
1,44732241
add a comment |
I always find that I get this message when I ssh into a new machine:
12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53
What does it stand for? Will every machine have the same fingerprint every time?
How are these fingerprints generated? What parameters do they depend on?
ssh
edited Mar 18 '14 at 12:04
Der Hochstapler
67.6k49230284
asked May 8 '12 at 14:22
Kit HoKit Ho
1,44732241
I always find that I get this message when I ssh into a new machine:
12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53
What does it stand for? Will every machine have the same fingerprint every time?
How are these fingerprints generated? What parameters do they depend on?
ssh
ssh
edited Mar 18 '14 at 12:04
Der Hochstapler
67.6k49230284
asked May 8 '12 at 14:22
Kit HoKit Ho
1,44732241
edited Mar 18 '14 at 12:04
Der Hochstapler
67.6k49230284
asked May 8 '12 at 14:22
Kit HoKit Ho
1,44732241
edited Mar 18 '14 at 12:04
Der Hochstapler
67.6k49230284
edited Mar 18 '14 at 12:04
Der Hochstapler
67.6k49230284
edited Mar 18 '14 at 12:04
Der Hochstapler
67.6k49230284
67.6k49230284
asked May 8 '12 at 14:22
Kit HoKit Ho
1,44732241
asked May 8 '12 at 14:22
Kit HoKit Ho
1,44732241
asked May 8 '12 at 14:22
Kit HoKit Ho
1,44732241
1,44732241
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
The fingerprint is based on the Host's Public key, usually based on "/etc/ssh/ssh_host_rsa_key.pub"
Generally its for easy identification/verification of the host you are connecting to.
If the fingerprint changes, the machine you are connecting to has changed their public key. This may not be a bad thing(happens from re-installing ssh), but it could also indicate that you are connecting to a different machine at the same domain/IP(happens when you are connecting through something like load balancer) or that you are being targeted with a man-in-the-middle attack, where the attacker is somehow intercepting/rerouting your ssh connection to connect to a different host which could be snooping your user/pw.
Bottom line: if you get warned of a changed fingerprint, be cautious and double check that you're actually connecting to the correct host over a secure connection. Though most of the time this is harmless, it can be an indication of a potential issue
See: http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html
and: http://en.wikipedia.org/wiki/Public_key_fingerprint
answered May 8 '12 at 14:41
madmazemadmaze
2,75722543
5
"...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?
– Savara
Aug 10 '15 at 11:00
1
@Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key toknown_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.
– Utku
Mar 24 '17 at 16:06
@Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your~/.ssh/known_hostsfile beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".
– Utku
Mar 24 '17 at 16:09
2
Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.
– Savara
Mar 25 '17 at 17:55
Is there a way to check the authenticity even after answering "yes"?
– exchange
Mar 3 '18 at 11:27
|
show 1 more comment
You can generate a fingerprint for a public key using ssh-keygen like so:
ssh-keygen -lf /path/to/key.pub
Concrete example (if you use an RSA public key):
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)
The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.
edited Jan 13 '14 at 15:22
Kevin Panko
5,899113648
answered Jul 24 '12 at 16:26
Benjamin OakesBenjamin Oakes
1,70221629
do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?
– Kit Ho
Jul 24 '12 at 16:37
@KitHo I'm not sure if I understand your question. I updated the example, as I thinkssh-keygen -lfwill do what you want.
– Benjamin Oakes
Jul 24 '12 at 18:53
5
When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context isssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.
– tanius
Aug 25 '14 at 0:26
37
Myssh-keygenreportedsha256fingerprints. In order to getmd5fingerprints I ranssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux
– Justin C
Oct 28 '15 at 22:03
5
(@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client usessh -o FingerprintHash=md5or the equivalent inssh_configand on things that usesshlikescp.
– dave_thompson_085
Jun 12 '16 at 19:36
|
show 2 more comments
The fingerprint is the MD5 over the binary data within the Base64-encoded public key.
$ ssh-keygen -f foo
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in foo.
Your public key has been saved in foo.pub.
The key fingerprint is:
65:30:38:96:35:56:4f:64:64:e8:e3:a4:7d:59:3e:19 andrew@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| +*..+* |
| =. +.= |
| . . .o . |
| o+ E |
| S= . + o |
| . o o + |
| . . |
| |
| |
+-----------------+
$ cat foo.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp andrew@localhost
$ echo 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp'
| base64 -D | md5
6530389635564f6464e8e3a47d593e19
The md5sum 6530389635564f6464e8e3a47d593e19 is the fingerprint displayed when
the key is generated, only without the separating colons.
However, if you’re dealing with the fingerprints that Amazon shows in the EC2 Key Pairs console,
unfortunately that may be a different beast. If it’s a 32-digit hex string, it’s the standard MD5 SSH public key fingerprint above. But if it’s 40 hex digits, it’s actually a fingerprint computed by taking the SHA1 of the private key in PKCS#8 format:
$ openssl pkcs8 -in foo -nocrypt -topk8 -outform DER | openssl sha1 -c
e2:77:39:d3:53:a7:62:68:5f:da:82:0e:99:61:30:64:a2:88:c4:58
edited Jan 14 at 1:15
Maarten Bodewes
6021515
answered Feb 8 '14 at 20:40
andrew.nandrew.n
81179
1
I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum
– Liczyrzepa
Jun 5 '15 at 19:25
This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.
– neirbowj
Dec 30 '15 at 21:28
1
@Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to useawk '{print $2}' /path/to/keyfile.pubor similar.
– dave_thompson_085
Jun 12 '16 at 19:41
10
This is the only answer that explains how the fingerprint is calculated
– greuze
Sep 29 '16 at 14:34
1
However in Linux Mint the command is:cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum
– greuze
Sep 29 '16 at 14:40
|
show 2 more comments
ssh-keygen -r host.name.com
Will output the fingerprints for all configured public keys on an sshd instance.
These can then be put into DNS SSHFP records.
answered Nov 26 '17 at 4:32
Mike SchrollMike Schroll
1012
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f421997%2fwhat-is-a-ssh-key-fingerprint-and-how-is-it-generated%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
The fingerprint is based on the Host's Public key, usually based on "/etc/ssh/ssh_host_rsa_key.pub"
Generally its for easy identification/verification of the host you are connecting to.
If the fingerprint changes, the machine you are connecting to has changed their public key. This may not be a bad thing(happens from re-installing ssh), but it could also indicate that you are connecting to a different machine at the same domain/IP(happens when you are connecting through something like load balancer) or that you are being targeted with a man-in-the-middle attack, where the attacker is somehow intercepting/rerouting your ssh connection to connect to a different host which could be snooping your user/pw.
Bottom line: if you get warned of a changed fingerprint, be cautious and double check that you're actually connecting to the correct host over a secure connection. Though most of the time this is harmless, it can be an indication of a potential issue
See: http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html
and: http://en.wikipedia.org/wiki/Public_key_fingerprint
answered May 8 '12 at 14:41
madmazemadmaze
2,75722543
5
"...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?
– Savara
Aug 10 '15 at 11:00
1
@Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key toknown_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.
– Utku
Mar 24 '17 at 16:06
@Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your~/.ssh/known_hostsfile beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".
– Utku
Mar 24 '17 at 16:09
2
Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.
– Savara
Mar 25 '17 at 17:55
Is there a way to check the authenticity even after answering "yes"?
– exchange
Mar 3 '18 at 11:27
|
show 1 more comment
The fingerprint is based on the Host's Public key, usually based on "/etc/ssh/ssh_host_rsa_key.pub"
Generally its for easy identification/verification of the host you are connecting to.
If the fingerprint changes, the machine you are connecting to has changed their public key. This may not be a bad thing(happens from re-installing ssh), but it could also indicate that you are connecting to a different machine at the same domain/IP(happens when you are connecting through something like load balancer) or that you are being targeted with a man-in-the-middle attack, where the attacker is somehow intercepting/rerouting your ssh connection to connect to a different host which could be snooping your user/pw.
Bottom line: if you get warned of a changed fingerprint, be cautious and double check that you're actually connecting to the correct host over a secure connection. Though most of the time this is harmless, it can be an indication of a potential issue
See: http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html
and: http://en.wikipedia.org/wiki/Public_key_fingerprint
answered May 8 '12 at 14:41
madmazemadmaze
2,75722543
5
"...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?
– Savara
Aug 10 '15 at 11:00
1
@Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key toknown_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.
– Utku
Mar 24 '17 at 16:06
@Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your~/.ssh/known_hostsfile beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".
– Utku
Mar 24 '17 at 16:09
2
Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.
– Savara
Mar 25 '17 at 17:55
Is there a way to check the authenticity even after answering "yes"?
– exchange
Mar 3 '18 at 11:27
|
show 1 more comment
The fingerprint is based on the Host's Public key, usually based on "/etc/ssh/ssh_host_rsa_key.pub"
Generally its for easy identification/verification of the host you are connecting to.
If the fingerprint changes, the machine you are connecting to has changed their public key. This may not be a bad thing(happens from re-installing ssh), but it could also indicate that you are connecting to a different machine at the same domain/IP(happens when you are connecting through something like load balancer) or that you are being targeted with a man-in-the-middle attack, where the attacker is somehow intercepting/rerouting your ssh connection to connect to a different host which could be snooping your user/pw.
Bottom line: if you get warned of a changed fingerprint, be cautious and double check that you're actually connecting to the correct host over a secure connection. Though most of the time this is harmless, it can be an indication of a potential issue
See: http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html
and: http://en.wikipedia.org/wiki/Public_key_fingerprint
answered May 8 '12 at 14:41
madmazemadmaze
2,75722543
The fingerprint is based on the Host's Public key, usually based on "/etc/ssh/ssh_host_rsa_key.pub"
Generally its for easy identification/verification of the host you are connecting to.
If the fingerprint changes, the machine you are connecting to has changed their public key. This may not be a bad thing(happens from re-installing ssh), but it could also indicate that you are connecting to a different machine at the same domain/IP(happens when you are connecting through something like load balancer) or that you are being targeted with a man-in-the-middle attack, where the attacker is somehow intercepting/rerouting your ssh connection to connect to a different host which could be snooping your user/pw.
Bottom line: if you get warned of a changed fingerprint, be cautious and double check that you're actually connecting to the correct host over a secure connection. Though most of the time this is harmless, it can be an indication of a potential issue
See: http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html
and: http://en.wikipedia.org/wiki/Public_key_fingerprint
answered May 8 '12 at 14:41
madmazemadmaze
2,75722543
edited Aug 5 '14 at 0:04
answered May 8 '12 at 14:41
madmazemadmaze
2,75722543
answered May 8 '12 at 14:41
madmazemadmaze
2,75722543
answered May 8 '12 at 14:41
madmazemadmaze
2,75722543
2,75722543
5
"...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?
– Savara
Aug 10 '15 at 11:00
1
@Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key toknown_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.
– Utku
Mar 24 '17 at 16:06
@Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your~/.ssh/known_hostsfile beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".
– Utku
Mar 24 '17 at 16:09
2
Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.
– Savara
Mar 25 '17 at 17:55
Is there a way to check the authenticity even after answering "yes"?
– exchange
Mar 3 '18 at 11:27
|
show 1 more comment
5
"...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?
– Savara
Aug 10 '15 at 11:00
1
@Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key toknown_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.
– Utku
Mar 24 '17 at 16:06
@Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your~/.ssh/known_hostsfile beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".
– Utku
Mar 24 '17 at 16:09
2
Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.
– Savara
Mar 25 '17 at 17:55
Is there a way to check the authenticity even after answering "yes"?
– exchange
Mar 3 '18 at 11:27
5
5
"...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?
– Savara
Aug 10 '15 at 11:00
"...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?
– Savara
Aug 10 '15 at 11:00
1
1
@Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file
~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key to known_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.– Utku
Mar 24 '17 at 16:06
@Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file
~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key to known_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.– Utku
Mar 24 '17 at 16:06
@Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your
~/.ssh/known_hosts file beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".– Utku
Mar 24 '17 at 16:09
@Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your
~/.ssh/known_hosts file beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".– Utku
Mar 24 '17 at 16:09
2
2
Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.
– Savara
Mar 25 '17 at 17:55
Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.
– Savara
Mar 25 '17 at 17:55
Is there a way to check the authenticity even after answering "yes"?
– exchange
Mar 3 '18 at 11:27
Is there a way to check the authenticity even after answering "yes"?
– exchange
Mar 3 '18 at 11:27
|
show 1 more comment
You can generate a fingerprint for a public key using ssh-keygen like so:
ssh-keygen -lf /path/to/key.pub
Concrete example (if you use an RSA public key):
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)
The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.
edited Jan 13 '14 at 15:22
Kevin Panko
5,899113648
answered Jul 24 '12 at 16:26
Benjamin OakesBenjamin Oakes
1,70221629
do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?
– Kit Ho
Jul 24 '12 at 16:37
@KitHo I'm not sure if I understand your question. I updated the example, as I thinkssh-keygen -lfwill do what you want.
– Benjamin Oakes
Jul 24 '12 at 18:53
5
When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context isssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.
– tanius
Aug 25 '14 at 0:26
37
Myssh-keygenreportedsha256fingerprints. In order to getmd5fingerprints I ranssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux
– Justin C
Oct 28 '15 at 22:03
5
(@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client usessh -o FingerprintHash=md5or the equivalent inssh_configand on things that usesshlikescp.
– dave_thompson_085
Jun 12 '16 at 19:36
|
show 2 more comments
You can generate a fingerprint for a public key using ssh-keygen like so:
ssh-keygen -lf /path/to/key.pub
Concrete example (if you use an RSA public key):
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)
The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.
edited Jan 13 '14 at 15:22
Kevin Panko
5,899113648
answered Jul 24 '12 at 16:26
Benjamin OakesBenjamin Oakes
1,70221629
do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?
– Kit Ho
Jul 24 '12 at 16:37
@KitHo I'm not sure if I understand your question. I updated the example, as I thinkssh-keygen -lfwill do what you want.
– Benjamin Oakes
Jul 24 '12 at 18:53
5
When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context isssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.
– tanius
Aug 25 '14 at 0:26
37
Myssh-keygenreportedsha256fingerprints. In order to getmd5fingerprints I ranssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux
– Justin C
Oct 28 '15 at 22:03
5
(@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client usessh -o FingerprintHash=md5or the equivalent inssh_configand on things that usesshlikescp.
– dave_thompson_085
Jun 12 '16 at 19:36
|
show 2 more comments
You can generate a fingerprint for a public key using ssh-keygen like so:
ssh-keygen -lf /path/to/key.pub
Concrete example (if you use an RSA public key):
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)
The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.
edited Jan 13 '14 at 15:22
Kevin Panko
5,899113648
answered Jul 24 '12 at 16:26
Benjamin OakesBenjamin Oakes
1,70221629
You can generate a fingerprint for a public key using ssh-keygen like so:
ssh-keygen -lf /path/to/key.pub
Concrete example (if you use an RSA public key):
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)
The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.
edited Jan 13 '14 at 15:22
Kevin Panko
5,899113648
answered Jul 24 '12 at 16:26
Benjamin OakesBenjamin Oakes
1,70221629
edited Jan 13 '14 at 15:22
Kevin Panko
5,899113648
edited Jan 13 '14 at 15:22
Kevin Panko
5,899113648
edited Jan 13 '14 at 15:22
Kevin Panko
5,899113648
5,899113648
answered Jul 24 '12 at 16:26
Benjamin OakesBenjamin Oakes
1,70221629
answered Jul 24 '12 at 16:26
Benjamin OakesBenjamin Oakes
1,70221629
answered Jul 24 '12 at 16:26
Benjamin OakesBenjamin Oakes
1,70221629
1,70221629
do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?
– Kit Ho
Jul 24 '12 at 16:37
@KitHo I'm not sure if I understand your question. I updated the example, as I thinkssh-keygen -lfwill do what you want.
– Benjamin Oakes
Jul 24 '12 at 18:53
5
When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context isssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.
– tanius
Aug 25 '14 at 0:26
37
Myssh-keygenreportedsha256fingerprints. In order to getmd5fingerprints I ranssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux
– Justin C
Oct 28 '15 at 22:03
5
(@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client usessh -o FingerprintHash=md5or the equivalent inssh_configand on things that usesshlikescp.
– dave_thompson_085
Jun 12 '16 at 19:36
|
show 2 more comments
do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?
– Kit Ho
Jul 24 '12 at 16:37
@KitHo I'm not sure if I understand your question. I updated the example, as I thinkssh-keygen -lfwill do what you want.
– Benjamin Oakes
Jul 24 '12 at 18:53
5
When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context isssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.
– tanius
Aug 25 '14 at 0:26
37
Myssh-keygenreportedsha256fingerprints. In order to getmd5fingerprints I ranssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux
– Justin C
Oct 28 '15 at 22:03
5
(@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client usessh -o FingerprintHash=md5or the equivalent inssh_configand on things that usesshlikescp.
– dave_thompson_085
Jun 12 '16 at 19:36
do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?
– Kit Ho
Jul 24 '12 at 16:37
do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?
– Kit Ho
Jul 24 '12 at 16:37
@KitHo I'm not sure if I understand your question. I updated the example, as I think
ssh-keygen -lf will do what you want.– Benjamin Oakes
Jul 24 '12 at 18:53
@KitHo I'm not sure if I understand your question. I updated the example, as I think
ssh-keygen -lf will do what you want.– Benjamin Oakes
Jul 24 '12 at 18:53
5
5
When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context is
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.– tanius
Aug 25 '14 at 0:26
When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context is
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.– tanius
Aug 25 '14 at 0:26
37
37
My
ssh-keygen reported sha256 fingerprints. In order to get md5 fingerprints I ran ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux– Justin C
Oct 28 '15 at 22:03
My
ssh-keygen reported sha256 fingerprints. In order to get md5 fingerprints I ran ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux– Justin C
Oct 28 '15 at 22:03
5
5
(@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client use
ssh -o FingerprintHash=md5 or the equivalent in ssh_config and on things that use ssh like scp.– dave_thompson_085
Jun 12 '16 at 19:36
(@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client use
ssh -o FingerprintHash=md5 or the equivalent in ssh_config and on things that use ssh like scp.– dave_thompson_085
Jun 12 '16 at 19:36
|
show 2 more comments
The fingerprint is the MD5 over the binary data within the Base64-encoded public key.
$ ssh-keygen -f foo
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in foo.
Your public key has been saved in foo.pub.
The key fingerprint is:
65:30:38:96:35:56:4f:64:64:e8:e3:a4:7d:59:3e:19 andrew@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| +*..+* |
| =. +.= |
| . . .o . |
| o+ E |
| S= . + o |
| . o o + |
| . . |
| |
| |
+-----------------+
$ cat foo.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp andrew@localhost
$ echo 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp'
| base64 -D | md5
6530389635564f6464e8e3a47d593e19
The md5sum 6530389635564f6464e8e3a47d593e19 is the fingerprint displayed when
the key is generated, only without the separating colons.
However, if you’re dealing with the fingerprints that Amazon shows in the EC2 Key Pairs console,
unfortunately that may be a different beast. If it’s a 32-digit hex string, it’s the standard MD5 SSH public key fingerprint above. But if it’s 40 hex digits, it’s actually a fingerprint computed by taking the SHA1 of the private key in PKCS#8 format:
$ openssl pkcs8 -in foo -nocrypt -topk8 -outform DER | openssl sha1 -c
e2:77:39:d3:53:a7:62:68:5f:da:82:0e:99:61:30:64:a2:88:c4:58
edited Jan 14 at 1:15
Maarten Bodewes
6021515
answered Feb 8 '14 at 20:40
andrew.nandrew.n
81179
1
I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum
– Liczyrzepa
Jun 5 '15 at 19:25
This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.
– neirbowj
Dec 30 '15 at 21:28
1
@Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to useawk '{print $2}' /path/to/keyfile.pubor similar.
– dave_thompson_085
Jun 12 '16 at 19:41
10
This is the only answer that explains how the fingerprint is calculated
– greuze
Sep 29 '16 at 14:34
1
However in Linux Mint the command is:cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum
– greuze
Sep 29 '16 at 14:40
|
show 2 more comments
The fingerprint is the MD5 over the binary data within the Base64-encoded public key.
$ ssh-keygen -f foo
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in foo.
Your public key has been saved in foo.pub.
The key fingerprint is:
65:30:38:96:35:56:4f:64:64:e8:e3:a4:7d:59:3e:19 andrew@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| +*..+* |
| =. +.= |
| . . .o . |
| o+ E |
| S= . + o |
| . o o + |
| . . |
| |
| |
+-----------------+
$ cat foo.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp andrew@localhost
$ echo 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp'
| base64 -D | md5
6530389635564f6464e8e3a47d593e19
The md5sum 6530389635564f6464e8e3a47d593e19 is the fingerprint displayed when
the key is generated, only without the separating colons.
However, if you’re dealing with the fingerprints that Amazon shows in the EC2 Key Pairs console,
unfortunately that may be a different beast. If it’s a 32-digit hex string, it’s the standard MD5 SSH public key fingerprint above. But if it’s 40 hex digits, it’s actually a fingerprint computed by taking the SHA1 of the private key in PKCS#8 format:
$ openssl pkcs8 -in foo -nocrypt -topk8 -outform DER | openssl sha1 -c
e2:77:39:d3:53:a7:62:68:5f:da:82:0e:99:61:30:64:a2:88:c4:58
edited Jan 14 at 1:15
Maarten Bodewes
6021515
answered Feb 8 '14 at 20:40
andrew.nandrew.n
81179
1
I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum
– Liczyrzepa
Jun 5 '15 at 19:25
This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.
– neirbowj
Dec 30 '15 at 21:28
1
@Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to useawk '{print $2}' /path/to/keyfile.pubor similar.
– dave_thompson_085
Jun 12 '16 at 19:41
10
This is the only answer that explains how the fingerprint is calculated
– greuze
Sep 29 '16 at 14:34
1
However in Linux Mint the command is:cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum
– greuze
Sep 29 '16 at 14:40
|
show 2 more comments
The fingerprint is the MD5 over the binary data within the Base64-encoded public key.
$ ssh-keygen -f foo
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in foo.
Your public key has been saved in foo.pub.
The key fingerprint is:
65:30:38:96:35:56:4f:64:64:e8:e3:a4:7d:59:3e:19 andrew@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| +*..+* |
| =. +.= |
| . . .o . |
| o+ E |
| S= . + o |
| . o o + |
| . . |
| |
| |
+-----------------+
$ cat foo.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp andrew@localhost
$ echo 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp'
| base64 -D | md5
6530389635564f6464e8e3a47d593e19
The md5sum 6530389635564f6464e8e3a47d593e19 is the fingerprint displayed when
the key is generated, only without the separating colons.
However, if you’re dealing with the fingerprints that Amazon shows in the EC2 Key Pairs console,
unfortunately that may be a different beast. If it’s a 32-digit hex string, it’s the standard MD5 SSH public key fingerprint above. But if it’s 40 hex digits, it’s actually a fingerprint computed by taking the SHA1 of the private key in PKCS#8 format:
$ openssl pkcs8 -in foo -nocrypt -topk8 -outform DER | openssl sha1 -c
e2:77:39:d3:53:a7:62:68:5f:da:82:0e:99:61:30:64:a2:88:c4:58
edited Jan 14 at 1:15
Maarten Bodewes
6021515
answered Feb 8 '14 at 20:40
andrew.nandrew.n
81179
The fingerprint is the MD5 over the binary data within the Base64-encoded public key.
$ ssh-keygen -f foo
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in foo.
Your public key has been saved in foo.pub.
The key fingerprint is:
65:30:38:96:35:56:4f:64:64:e8:e3:a4:7d:59:3e:19 andrew@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| +*..+* |
| =. +.= |
| . . .o . |
| o+ E |
| S= . + o |
| . o o + |
| . . |
| |
| |
+-----------------+
$ cat foo.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp andrew@localhost
$ echo 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp'
| base64 -D | md5
6530389635564f6464e8e3a47d593e19
The md5sum 6530389635564f6464e8e3a47d593e19 is the fingerprint displayed when
the key is generated, only without the separating colons.
However, if you’re dealing with the fingerprints that Amazon shows in the EC2 Key Pairs console,
unfortunately that may be a different beast. If it’s a 32-digit hex string, it’s the standard MD5 SSH public key fingerprint above. But if it’s 40 hex digits, it’s actually a fingerprint computed by taking the SHA1 of the private key in PKCS#8 format:
$ openssl pkcs8 -in foo -nocrypt -topk8 -outform DER | openssl sha1 -c
e2:77:39:d3:53:a7:62:68:5f:da:82:0e:99:61:30:64:a2:88:c4:58
edited Jan 14 at 1:15
Maarten Bodewes
6021515
answered Feb 8 '14 at 20:40
andrew.nandrew.n
81179
edited Jan 14 at 1:15
Maarten Bodewes
6021515
edited Jan 14 at 1:15
Maarten Bodewes
6021515
edited Jan 14 at 1:15
Maarten Bodewes
6021515
6021515
answered Feb 8 '14 at 20:40
andrew.nandrew.n
81179
answered Feb 8 '14 at 20:40
andrew.nandrew.n
81179
answered Feb 8 '14 at 20:40
andrew.nandrew.n
81179
81179
1
I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum
– Liczyrzepa
Jun 5 '15 at 19:25
This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.
– neirbowj
Dec 30 '15 at 21:28
1
@Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to useawk '{print $2}' /path/to/keyfile.pubor similar.
– dave_thompson_085
Jun 12 '16 at 19:41
10
This is the only answer that explains how the fingerprint is calculated
– greuze
Sep 29 '16 at 14:34
1
However in Linux Mint the command is:cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum
– greuze
Sep 29 '16 at 14:40
|
show 2 more comments
1
I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum
– Liczyrzepa
Jun 5 '15 at 19:25
This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.
– neirbowj
Dec 30 '15 at 21:28
1
@Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to useawk '{print $2}' /path/to/keyfile.pubor similar.
– dave_thompson_085
Jun 12 '16 at 19:41
10
This is the only answer that explains how the fingerprint is calculated
– greuze
Sep 29 '16 at 14:34
1
However in Linux Mint the command is:cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum
– greuze
Sep 29 '16 at 14:40
1
1
I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum
– Liczyrzepa
Jun 5 '15 at 19:25
I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum
– Liczyrzepa
Jun 5 '15 at 19:25
This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.
– neirbowj
Dec 30 '15 at 21:28
This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.
– neirbowj
Dec 30 '15 at 21:28
1
1
@Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to use
awk '{print $2}' /path/to/keyfile.pub or similar.– dave_thompson_085
Jun 12 '16 at 19:41
@Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to use
awk '{print $2}' /path/to/keyfile.pub or similar.– dave_thompson_085
Jun 12 '16 at 19:41
10
10
This is the only answer that explains how the fingerprint is calculated
– greuze
Sep 29 '16 at 14:34
This is the only answer that explains how the fingerprint is calculated
– greuze
Sep 29 '16 at 14:34
1
1
However in Linux Mint the command is:
cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum– greuze
Sep 29 '16 at 14:40
However in Linux Mint the command is:
cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum– greuze
Sep 29 '16 at 14:40
|
show 2 more comments
ssh-keygen -r host.name.com
Will output the fingerprints for all configured public keys on an sshd instance.
These can then be put into DNS SSHFP records.
answered Nov 26 '17 at 4:32
Mike SchrollMike Schroll
1012
add a comment |
ssh-keygen -r host.name.com
Will output the fingerprints for all configured public keys on an sshd instance.
These can then be put into DNS SSHFP records.
answered Nov 26 '17 at 4:32
Mike SchrollMike Schroll
1012
add a comment |
ssh-keygen -r host.name.com
Will output the fingerprints for all configured public keys on an sshd instance.
These can then be put into DNS SSHFP records.
answered Nov 26 '17 at 4:32
Mike SchrollMike Schroll
1012
ssh-keygen -r host.name.com
Will output the fingerprints for all configured public keys on an sshd instance.
These can then be put into DNS SSHFP records.
answered Nov 26 '17 at 4:32
Mike SchrollMike Schroll
1012
answered Nov 26 '17 at 4:32
Mike SchrollMike Schroll
1012
answered Nov 26 '17 at 4:32
Mike SchrollMike Schroll
1012
answered Nov 26 '17 at 4:32
Mike SchrollMike Schroll
1012
1012
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f421997%2fwhat-is-a-ssh-key-fingerprint-and-how-is-it-generated%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
