What is a SSH key fingerprint and how is it generated?












101















I always find that I get this message when I ssh into a new machine:



12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53


What does it stand for? Will every machine have the same fingerprint every time?



How are these fingerprints generated? What parameters do they depend on?










share|improve this question





























    101















    I always find that I get this message when I ssh into a new machine:



    12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53


    What does it stand for? Will every machine have the same fingerprint every time?



    How are these fingerprints generated? What parameters do they depend on?










    share|improve this question



























      101












      101








      101


      37






      I always find that I get this message when I ssh into a new machine:



      12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53


      What does it stand for? Will every machine have the same fingerprint every time?



      How are these fingerprints generated? What parameters do they depend on?










      share|improve this question
















      I always find that I get this message when I ssh into a new machine:



      12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53


      What does it stand for? Will every machine have the same fingerprint every time?



      How are these fingerprints generated? What parameters do they depend on?







      ssh






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 18 '14 at 12:04









      Der Hochstapler

      67.6k49230284




      67.6k49230284










      asked May 8 '12 at 14:22









      Kit HoKit Ho

      1,44732241




      1,44732241






















          4 Answers
          4






          active

          oldest

          votes


















          52














          The fingerprint is based on the Host's Public key, usually based on "/etc/ssh/ssh_host_rsa_key.pub"
          Generally its for easy identification/verification of the host you are connecting to.



          If the fingerprint changes, the machine you are connecting to has changed their public key. This may not be a bad thing(happens from re-installing ssh), but it could also indicate that you are connecting to a different machine at the same domain/IP(happens when you are connecting through something like load balancer) or that you are being targeted with a man-in-the-middle attack, where the attacker is somehow intercepting/rerouting your ssh connection to connect to a different host which could be snooping your user/pw.



          Bottom line: if you get warned of a changed fingerprint, be cautious and double check that you're actually connecting to the correct host over a secure connection. Though most of the time this is harmless, it can be an indication of a potential issue



          See: http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html

          and: http://en.wikipedia.org/wiki/Public_key_fingerprint






          share|improve this answer





















          • 5





            "...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?

            – Savara
            Aug 10 '15 at 11:00






          • 1





            @Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file ~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key to known_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.

            – Utku
            Mar 24 '17 at 16:06











          • @Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your ~/.ssh/known_hosts file beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".

            – Utku
            Mar 24 '17 at 16:09






          • 2





            Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.

            – Savara
            Mar 25 '17 at 17:55













          • Is there a way to check the authenticity even after answering "yes"?

            – exchange
            Mar 3 '18 at 11:27



















          83














          You can generate a fingerprint for a public key using ssh-keygen like so:



          ssh-keygen -lf /path/to/key.pub


          Concrete example (if you use an RSA public key):



          $ ssh-keygen -lf ~/.ssh/id_rsa.pub
          2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)


          The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.






          share|improve this answer


























          • do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?

            – Kit Ho
            Jul 24 '12 at 16:37











          • @KitHo I'm not sure if I understand your question. I updated the example, as I think ssh-keygen -lf will do what you want.

            – Benjamin Oakes
            Jul 24 '12 at 18:53






          • 5





            When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context is ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.

            – tanius
            Aug 25 '14 at 0:26








          • 37





            My ssh-keygen reported sha256 fingerprints. In order to get md5 fingerprints I ran ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux

            – Justin C
            Oct 28 '15 at 22:03






          • 5





            (@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client use ssh -o FingerprintHash=md5 or the equivalent in ssh_config and on things that use ssh like scp.

            – dave_thompson_085
            Jun 12 '16 at 19:36





















          60














          The fingerprint is the MD5 over the binary data within the Base64-encoded public key.



          $ ssh-keygen -f foo
          Generating public/private rsa key pair.
          Enter passphrase (empty for no passphrase):
          Enter same passphrase again:
          Your identification has been saved in foo.
          Your public key has been saved in foo.pub.
          The key fingerprint is:
          65:30:38:96:35:56:4f:64:64:e8:e3:a4:7d:59:3e:19 andrew@localhost
          The key's randomart image is:
          +--[ RSA 2048]----+
          | +*..+* |
          | =. +.= |
          | . . .o . |
          | o+ E |
          | S= . + o |
          | . o o + |
          | . . |
          | |
          | |
          +-----------------+
          $ cat foo.pub
          ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp andrew@localhost
          $ echo 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp'
          | base64 -D | md5
          6530389635564f6464e8e3a47d593e19


          The md5sum 6530389635564f6464e8e3a47d593e19 is the fingerprint displayed when
          the key is generated, only without the separating colons.





          However, if you’re dealing with the fingerprints that Amazon shows in the EC2 Key Pairs console,
          unfortunately that may be a different beast. If it’s a 32-digit hex string, it’s the standard MD5 SSH public key fingerprint above. But if it’s 40 hex digits, it’s actually a fingerprint computed by taking the SHA1 of the private key in PKCS#8 format:



          $ openssl pkcs8 -in foo -nocrypt -topk8 -outform DER | openssl sha1 -c
          e2:77:39:d3:53:a7:62:68:5f:da:82:0e:99:61:30:64:a2:88:c4:58





          share|improve this answer





















          • 1





            I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum

            – Liczyrzepa
            Jun 5 '15 at 19:25













          • This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.

            – neirbowj
            Dec 30 '15 at 21:28






          • 1





            @Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to use awk '{print $2}' /path/to/keyfile.pub or similar.

            – dave_thompson_085
            Jun 12 '16 at 19:41






          • 10





            This is the only answer that explains how the fingerprint is calculated

            – greuze
            Sep 29 '16 at 14:34






          • 1





            However in Linux Mint the command is: cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum

            – greuze
            Sep 29 '16 at 14:40



















          0














          ssh-keygen -r host.name.com


          Will output the fingerprints for all configured public keys on an sshd instance.



          These can then be put into DNS SSHFP records.






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f421997%2fwhat-is-a-ssh-key-fingerprint-and-how-is-it-generated%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            4 Answers
            4






            active

            oldest

            votes








            4 Answers
            4






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            52














            The fingerprint is based on the Host's Public key, usually based on "/etc/ssh/ssh_host_rsa_key.pub"
            Generally its for easy identification/verification of the host you are connecting to.



            If the fingerprint changes, the machine you are connecting to has changed their public key. This may not be a bad thing(happens from re-installing ssh), but it could also indicate that you are connecting to a different machine at the same domain/IP(happens when you are connecting through something like load balancer) or that you are being targeted with a man-in-the-middle attack, where the attacker is somehow intercepting/rerouting your ssh connection to connect to a different host which could be snooping your user/pw.



            Bottom line: if you get warned of a changed fingerprint, be cautious and double check that you're actually connecting to the correct host over a secure connection. Though most of the time this is harmless, it can be an indication of a potential issue



            See: http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html

            and: http://en.wikipedia.org/wiki/Public_key_fingerprint






            share|improve this answer





















            • 5





              "...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?

              – Savara
              Aug 10 '15 at 11:00






            • 1





              @Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file ~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key to known_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.

              – Utku
              Mar 24 '17 at 16:06











            • @Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your ~/.ssh/known_hosts file beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".

              – Utku
              Mar 24 '17 at 16:09






            • 2





              Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.

              – Savara
              Mar 25 '17 at 17:55













            • Is there a way to check the authenticity even after answering "yes"?

              – exchange
              Mar 3 '18 at 11:27
















            52














            The fingerprint is based on the Host's Public key, usually based on "/etc/ssh/ssh_host_rsa_key.pub"
            Generally its for easy identification/verification of the host you are connecting to.



            If the fingerprint changes, the machine you are connecting to has changed their public key. This may not be a bad thing(happens from re-installing ssh), but it could also indicate that you are connecting to a different machine at the same domain/IP(happens when you are connecting through something like load balancer) or that you are being targeted with a man-in-the-middle attack, where the attacker is somehow intercepting/rerouting your ssh connection to connect to a different host which could be snooping your user/pw.



            Bottom line: if you get warned of a changed fingerprint, be cautious and double check that you're actually connecting to the correct host over a secure connection. Though most of the time this is harmless, it can be an indication of a potential issue



            See: http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html

            and: http://en.wikipedia.org/wiki/Public_key_fingerprint






            share|improve this answer





















            • 5





              "...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?

              – Savara
              Aug 10 '15 at 11:00






            • 1





              @Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file ~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key to known_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.

              – Utku
              Mar 24 '17 at 16:06











            • @Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your ~/.ssh/known_hosts file beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".

              – Utku
              Mar 24 '17 at 16:09






            • 2





              Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.

              – Savara
              Mar 25 '17 at 17:55













            • Is there a way to check the authenticity even after answering "yes"?

              – exchange
              Mar 3 '18 at 11:27














            52












            52








            52







            The fingerprint is based on the Host's Public key, usually based on "/etc/ssh/ssh_host_rsa_key.pub"
            Generally its for easy identification/verification of the host you are connecting to.



            If the fingerprint changes, the machine you are connecting to has changed their public key. This may not be a bad thing(happens from re-installing ssh), but it could also indicate that you are connecting to a different machine at the same domain/IP(happens when you are connecting through something like load balancer) or that you are being targeted with a man-in-the-middle attack, where the attacker is somehow intercepting/rerouting your ssh connection to connect to a different host which could be snooping your user/pw.



            Bottom line: if you get warned of a changed fingerprint, be cautious and double check that you're actually connecting to the correct host over a secure connection. Though most of the time this is harmless, it can be an indication of a potential issue



            See: http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html

            and: http://en.wikipedia.org/wiki/Public_key_fingerprint






            share|improve this answer















            The fingerprint is based on the Host's Public key, usually based on "/etc/ssh/ssh_host_rsa_key.pub"
            Generally its for easy identification/verification of the host you are connecting to.



            If the fingerprint changes, the machine you are connecting to has changed their public key. This may not be a bad thing(happens from re-installing ssh), but it could also indicate that you are connecting to a different machine at the same domain/IP(happens when you are connecting through something like load balancer) or that you are being targeted with a man-in-the-middle attack, where the attacker is somehow intercepting/rerouting your ssh connection to connect to a different host which could be snooping your user/pw.



            Bottom line: if you get warned of a changed fingerprint, be cautious and double check that you're actually connecting to the correct host over a secure connection. Though most of the time this is harmless, it can be an indication of a potential issue



            See: http://www.lysium.de/blog/index.php?/archives/186-How-to-get-ssh-server-fingerprint-information.html

            and: http://en.wikipedia.org/wiki/Public_key_fingerprint







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Aug 5 '14 at 0:04

























            answered May 8 '12 at 14:41









            madmazemadmaze

            2,75722543




            2,75722543








            • 5





              "...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?

              – Savara
              Aug 10 '15 at 11:00






            • 1





              @Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file ~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key to known_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.

              – Utku
              Mar 24 '17 at 16:06











            • @Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your ~/.ssh/known_hosts file beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".

              – Utku
              Mar 24 '17 at 16:09






            • 2





              Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.

              – Savara
              Mar 25 '17 at 17:55













            • Is there a way to check the authenticity even after answering "yes"?

              – exchange
              Mar 3 '18 at 11:27














            • 5





              "...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?

              – Savara
              Aug 10 '15 at 11:00






            • 1





              @Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file ~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key to known_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.

              – Utku
              Mar 24 '17 at 16:06











            • @Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your ~/.ssh/known_hosts file beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".

              – Utku
              Mar 24 '17 at 16:09






            • 2





              Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.

              – Savara
              Mar 25 '17 at 17:55













            • Is there a way to check the authenticity even after answering "yes"?

              – exchange
              Mar 3 '18 at 11:27








            5




            5





            "...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?

            – Savara
            Aug 10 '15 at 11:00





            "...be cautious and double check that you're actually connecting to the correct host over a secure connection" -- stupid question, but how can you do this easily?

            – Savara
            Aug 10 '15 at 11:00




            1




            1





            @Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file ~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key to known_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.

            – Utku
            Mar 24 '17 at 16:06





            @Savara When you are connecting to an SSH server which you did not connect before, you should request the public key of the SSH server from the server admin. The server admin will give you a piece of text. You should append this text to the file ~/.ssh/known_hosts. This way, when you connect to the server, your SSH client will recognize this server, since you have saved its public key to known_hosts. Hence, actually you should never say "yes" when the SSH client tells you "The authenticity of the host cannot be established". You should always add the public key of the server beforehand.

            – Utku
            Mar 24 '17 at 16:06













            @Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your ~/.ssh/known_hosts file beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".

            – Utku
            Mar 24 '17 at 16:09





            @Savara If you do this, you will know that something fishy is going on when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed". Hence, you should always add the public key of the server to your ~/.ssh/known_hosts file beforehand and never say yes when your SSH client tells you "The authenticity of the client cannot be established" or when it tells you "The public key of the server has been changed".

            – Utku
            Mar 24 '17 at 16:09




            2




            2





            Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.

            – Savara
            Mar 25 '17 at 17:55







            Yeah, I'm fully aware of how the mechanics of viewing SSH fingerprints works, but a large percentage of the time you don't have the option to get the fingerprint through another channel. TOFU is sadly the best we often get.

            – Savara
            Mar 25 '17 at 17:55















            Is there a way to check the authenticity even after answering "yes"?

            – exchange
            Mar 3 '18 at 11:27





            Is there a way to check the authenticity even after answering "yes"?

            – exchange
            Mar 3 '18 at 11:27













            83














            You can generate a fingerprint for a public key using ssh-keygen like so:



            ssh-keygen -lf /path/to/key.pub


            Concrete example (if you use an RSA public key):



            $ ssh-keygen -lf ~/.ssh/id_rsa.pub
            2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)


            The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.






            share|improve this answer


























            • do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?

              – Kit Ho
              Jul 24 '12 at 16:37











            • @KitHo I'm not sure if I understand your question. I updated the example, as I think ssh-keygen -lf will do what you want.

              – Benjamin Oakes
              Jul 24 '12 at 18:53






            • 5





              When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context is ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.

              – tanius
              Aug 25 '14 at 0:26








            • 37





              My ssh-keygen reported sha256 fingerprints. In order to get md5 fingerprints I ran ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux

              – Justin C
              Oct 28 '15 at 22:03






            • 5





              (@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client use ssh -o FingerprintHash=md5 or the equivalent in ssh_config and on things that use ssh like scp.

              – dave_thompson_085
              Jun 12 '16 at 19:36


















            83














            You can generate a fingerprint for a public key using ssh-keygen like so:



            ssh-keygen -lf /path/to/key.pub


            Concrete example (if you use an RSA public key):



            $ ssh-keygen -lf ~/.ssh/id_rsa.pub
            2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)


            The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.






            share|improve this answer


























            • do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?

              – Kit Ho
              Jul 24 '12 at 16:37











            • @KitHo I'm not sure if I understand your question. I updated the example, as I think ssh-keygen -lf will do what you want.

              – Benjamin Oakes
              Jul 24 '12 at 18:53






            • 5





              When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context is ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.

              – tanius
              Aug 25 '14 at 0:26








            • 37





              My ssh-keygen reported sha256 fingerprints. In order to get md5 fingerprints I ran ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux

              – Justin C
              Oct 28 '15 at 22:03






            • 5





              (@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client use ssh -o FingerprintHash=md5 or the equivalent in ssh_config and on things that use ssh like scp.

              – dave_thompson_085
              Jun 12 '16 at 19:36
















            83












            83








            83







            You can generate a fingerprint for a public key using ssh-keygen like so:



            ssh-keygen -lf /path/to/key.pub


            Concrete example (if you use an RSA public key):



            $ ssh-keygen -lf ~/.ssh/id_rsa.pub
            2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)


            The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.






            share|improve this answer















            You can generate a fingerprint for a public key using ssh-keygen like so:



            ssh-keygen -lf /path/to/key.pub


            Concrete example (if you use an RSA public key):



            $ ssh-keygen -lf ~/.ssh/id_rsa.pub
            2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)


            The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Jan 13 '14 at 15:22









            Kevin Panko

            5,899113648




            5,899113648










            answered Jul 24 '12 at 16:26









            Benjamin OakesBenjamin Oakes

            1,70221629




            1,70221629













            • do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?

              – Kit Ho
              Jul 24 '12 at 16:37











            • @KitHo I'm not sure if I understand your question. I updated the example, as I think ssh-keygen -lf will do what you want.

              – Benjamin Oakes
              Jul 24 '12 at 18:53






            • 5





              When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context is ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.

              – tanius
              Aug 25 '14 at 0:26








            • 37





              My ssh-keygen reported sha256 fingerprints. In order to get md5 fingerprints I ran ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux

              – Justin C
              Oct 28 '15 at 22:03






            • 5





              (@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client use ssh -o FingerprintHash=md5 or the equivalent in ssh_config and on things that use ssh like scp.

              – dave_thompson_085
              Jun 12 '16 at 19:36





















            • do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?

              – Kit Ho
              Jul 24 '12 at 16:37











            • @KitHo I'm not sure if I understand your question. I updated the example, as I think ssh-keygen -lf will do what you want.

              – Benjamin Oakes
              Jul 24 '12 at 18:53






            • 5





              When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context is ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.

              – tanius
              Aug 25 '14 at 0:26








            • 37





              My ssh-keygen reported sha256 fingerprints. In order to get md5 fingerprints I ran ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux

              – Justin C
              Oct 28 '15 at 22:03






            • 5





              (@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client use ssh -o FingerprintHash=md5 or the equivalent in ssh_config and on things that use ssh like scp.

              – dave_thompson_085
              Jun 12 '16 at 19:36



















            do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?

            – Kit Ho
            Jul 24 '12 at 16:37





            do u know how to translate into 12:f8:7e:78:61:b4:bf:e2:de:24:15:96:4e:d4:72:53 this format from that public key?

            – Kit Ho
            Jul 24 '12 at 16:37













            @KitHo I'm not sure if I understand your question. I updated the example, as I think ssh-keygen -lf will do what you want.

            – Benjamin Oakes
            Jul 24 '12 at 18:53





            @KitHo I'm not sure if I understand your question. I updated the example, as I think ssh-keygen -lf will do what you want.

            – Benjamin Oakes
            Jul 24 '12 at 18:53




            5




            5





            When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context is ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.

            – tanius
            Aug 25 '14 at 0:26







            When SSH-ing into a new machine, what one sees is not a user's pubkey fingerprint, but the host's pubkey fingerprint. So a better example for the question's context is ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub. It shows the fingerprint that is also shown on SSH logins to localhost.

            – tanius
            Aug 25 '14 at 0:26






            37




            37





            My ssh-keygen reported sha256 fingerprints. In order to get md5 fingerprints I ran ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux

            – Justin C
            Oct 28 '15 at 22:03





            My ssh-keygen reported sha256 fingerprints. In order to get md5 fingerprints I ran ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub. #archlinux

            – Justin C
            Oct 28 '15 at 22:03




            5




            5





            (@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client use ssh -o FingerprintHash=md5 or the equivalent in ssh_config and on things that use ssh like scp.

            – dave_thompson_085
            Jun 12 '16 at 19:36







            (@JustinC) OpenSSH versions 6.8 (March 2015) and up changed to SHA256, displayed in base64 rather than hex, by default. For the client use ssh -o FingerprintHash=md5 or the equivalent in ssh_config and on things that use ssh like scp.

            – dave_thompson_085
            Jun 12 '16 at 19:36













            60














            The fingerprint is the MD5 over the binary data within the Base64-encoded public key.



            $ ssh-keygen -f foo
            Generating public/private rsa key pair.
            Enter passphrase (empty for no passphrase):
            Enter same passphrase again:
            Your identification has been saved in foo.
            Your public key has been saved in foo.pub.
            The key fingerprint is:
            65:30:38:96:35:56:4f:64:64:e8:e3:a4:7d:59:3e:19 andrew@localhost
            The key's randomart image is:
            +--[ RSA 2048]----+
            | +*..+* |
            | =. +.= |
            | . . .o . |
            | o+ E |
            | S= . + o |
            | . o o + |
            | . . |
            | |
            | |
            +-----------------+
            $ cat foo.pub
            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp andrew@localhost
            $ echo 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp'
            | base64 -D | md5
            6530389635564f6464e8e3a47d593e19


            The md5sum 6530389635564f6464e8e3a47d593e19 is the fingerprint displayed when
            the key is generated, only without the separating colons.





            However, if you’re dealing with the fingerprints that Amazon shows in the EC2 Key Pairs console,
            unfortunately that may be a different beast. If it’s a 32-digit hex string, it’s the standard MD5 SSH public key fingerprint above. But if it’s 40 hex digits, it’s actually a fingerprint computed by taking the SHA1 of the private key in PKCS#8 format:



            $ openssl pkcs8 -in foo -nocrypt -topk8 -outform DER | openssl sha1 -c
            e2:77:39:d3:53:a7:62:68:5f:da:82:0e:99:61:30:64:a2:88:c4:58





            share|improve this answer





















            • 1





              I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum

              – Liczyrzepa
              Jun 5 '15 at 19:25













            • This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.

              – neirbowj
              Dec 30 '15 at 21:28






            • 1





              @Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to use awk '{print $2}' /path/to/keyfile.pub or similar.

              – dave_thompson_085
              Jun 12 '16 at 19:41






            • 10





              This is the only answer that explains how the fingerprint is calculated

              – greuze
              Sep 29 '16 at 14:34






            • 1





              However in Linux Mint the command is: cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum

              – greuze
              Sep 29 '16 at 14:40
















            60














            The fingerprint is the MD5 over the binary data within the Base64-encoded public key.



            $ ssh-keygen -f foo
            Generating public/private rsa key pair.
            Enter passphrase (empty for no passphrase):
            Enter same passphrase again:
            Your identification has been saved in foo.
            Your public key has been saved in foo.pub.
            The key fingerprint is:
            65:30:38:96:35:56:4f:64:64:e8:e3:a4:7d:59:3e:19 andrew@localhost
            The key's randomart image is:
            +--[ RSA 2048]----+
            | +*..+* |
            | =. +.= |
            | . . .o . |
            | o+ E |
            | S= . + o |
            | . o o + |
            | . . |
            | |
            | |
            +-----------------+
            $ cat foo.pub
            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp andrew@localhost
            $ echo 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp'
            | base64 -D | md5
            6530389635564f6464e8e3a47d593e19


            The md5sum 6530389635564f6464e8e3a47d593e19 is the fingerprint displayed when
            the key is generated, only without the separating colons.





            However, if you’re dealing with the fingerprints that Amazon shows in the EC2 Key Pairs console,
            unfortunately that may be a different beast. If it’s a 32-digit hex string, it’s the standard MD5 SSH public key fingerprint above. But if it’s 40 hex digits, it’s actually a fingerprint computed by taking the SHA1 of the private key in PKCS#8 format:



            $ openssl pkcs8 -in foo -nocrypt -topk8 -outform DER | openssl sha1 -c
            e2:77:39:d3:53:a7:62:68:5f:da:82:0e:99:61:30:64:a2:88:c4:58





            share|improve this answer





















            • 1





              I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum

              – Liczyrzepa
              Jun 5 '15 at 19:25













            • This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.

              – neirbowj
              Dec 30 '15 at 21:28






            • 1





              @Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to use awk '{print $2}' /path/to/keyfile.pub or similar.

              – dave_thompson_085
              Jun 12 '16 at 19:41






            • 10





              This is the only answer that explains how the fingerprint is calculated

              – greuze
              Sep 29 '16 at 14:34






            • 1





              However in Linux Mint the command is: cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum

              – greuze
              Sep 29 '16 at 14:40














            60












            60








            60







            The fingerprint is the MD5 over the binary data within the Base64-encoded public key.



            $ ssh-keygen -f foo
            Generating public/private rsa key pair.
            Enter passphrase (empty for no passphrase):
            Enter same passphrase again:
            Your identification has been saved in foo.
            Your public key has been saved in foo.pub.
            The key fingerprint is:
            65:30:38:96:35:56:4f:64:64:e8:e3:a4:7d:59:3e:19 andrew@localhost
            The key's randomart image is:
            +--[ RSA 2048]----+
            | +*..+* |
            | =. +.= |
            | . . .o . |
            | o+ E |
            | S= . + o |
            | . o o + |
            | . . |
            | |
            | |
            +-----------------+
            $ cat foo.pub
            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp andrew@localhost
            $ echo 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp'
            | base64 -D | md5
            6530389635564f6464e8e3a47d593e19


            The md5sum 6530389635564f6464e8e3a47d593e19 is the fingerprint displayed when
            the key is generated, only without the separating colons.





            However, if you’re dealing with the fingerprints that Amazon shows in the EC2 Key Pairs console,
            unfortunately that may be a different beast. If it’s a 32-digit hex string, it’s the standard MD5 SSH public key fingerprint above. But if it’s 40 hex digits, it’s actually a fingerprint computed by taking the SHA1 of the private key in PKCS#8 format:



            $ openssl pkcs8 -in foo -nocrypt -topk8 -outform DER | openssl sha1 -c
            e2:77:39:d3:53:a7:62:68:5f:da:82:0e:99:61:30:64:a2:88:c4:58





            share|improve this answer















            The fingerprint is the MD5 over the binary data within the Base64-encoded public key.



            $ ssh-keygen -f foo
            Generating public/private rsa key pair.
            Enter passphrase (empty for no passphrase):
            Enter same passphrase again:
            Your identification has been saved in foo.
            Your public key has been saved in foo.pub.
            The key fingerprint is:
            65:30:38:96:35:56:4f:64:64:e8:e3:a4:7d:59:3e:19 andrew@localhost
            The key's randomart image is:
            +--[ RSA 2048]----+
            | +*..+* |
            | =. +.= |
            | . . .o . |
            | o+ E |
            | S= . + o |
            | . o o + |
            | . . |
            | |
            | |
            +-----------------+
            $ cat foo.pub
            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp andrew@localhost
            $ echo 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDEbKq5U57fhzQ3SBbs3NVmgY2ouYZfPhc6cXBNEFpRT3T100fnbkYw+EHi76nwsp+uGxk08kh4GG881DrgotptrJj2dJxXpWp/SFdVu5S9fFU6l6dCTC9IBYYCCV8PvXbBZ3oDZyyyJT7/vXSaUdbk3x9MeNlYrgItm2KY6MdHYEg8R994Sspn1sE4Ydey5DfG/WNWVrzFCI0sWI3yj4zuCcUXFz9sEG8fIYikD9rNuohiMenWjkj6oLTwZGVW2q4wRL0051XBkmfnPD/H6gqOML9MbZQ8D6/+az0yF9oD61SkifhBNBRRNaIab/Np7XD61siR8zNMG/vCKjFGICnp'
            | base64 -D | md5
            6530389635564f6464e8e3a47d593e19


            The md5sum 6530389635564f6464e8e3a47d593e19 is the fingerprint displayed when
            the key is generated, only without the separating colons.





            However, if you’re dealing with the fingerprints that Amazon shows in the EC2 Key Pairs console,
            unfortunately that may be a different beast. If it’s a 32-digit hex string, it’s the standard MD5 SSH public key fingerprint above. But if it’s 40 hex digits, it’s actually a fingerprint computed by taking the SHA1 of the private key in PKCS#8 format:



            $ openssl pkcs8 -in foo -nocrypt -topk8 -outform DER | openssl sha1 -c
            e2:77:39:d3:53:a7:62:68:5f:da:82:0e:99:61:30:64:a2:88:c4:58






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Jan 14 at 1:15









            Maarten Bodewes

            6021515




            6021515










            answered Feb 8 '14 at 20:40









            andrew.nandrew.n

            81179




            81179








            • 1





              I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum

              – Liczyrzepa
              Jun 5 '15 at 19:25













            • This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.

              – neirbowj
              Dec 30 '15 at 21:28






            • 1





              @Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to use awk '{print $2}' /path/to/keyfile.pub or similar.

              – dave_thompson_085
              Jun 12 '16 at 19:41






            • 10





              This is the only answer that explains how the fingerprint is calculated

              – greuze
              Sep 29 '16 at 14:34






            • 1





              However in Linux Mint the command is: cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum

              – greuze
              Sep 29 '16 at 14:40














            • 1





              I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum

              – Liczyrzepa
              Jun 5 '15 at 19:25













            • This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.

              – neirbowj
              Dec 30 '15 at 21:28






            • 1





              @Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to use awk '{print $2}' /path/to/keyfile.pub or similar.

              – dave_thompson_085
              Jun 12 '16 at 19:41






            • 10





              This is the only answer that explains how the fingerprint is calculated

              – greuze
              Sep 29 '16 at 14:34






            • 1





              However in Linux Mint the command is: cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum

              – greuze
              Sep 29 '16 at 14:40








            1




            1





            I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum

            – Liczyrzepa
            Jun 5 '15 at 19:25







            I found this answer helpful in the following scenario. Your system uses SHA1 to calculate the fingerprint, but your friend's uses md5. I shared a fingerprint which was SHA1 and it didn't match the MD5 her system generated. This helped - thank you! sed 's|^ssh-rsa ||' /etc/ssh/ssh_host_rsa_key.pub |sed 's|==.*$|==|' |base64 -d| md5sum

            – Liczyrzepa
            Jun 5 '15 at 19:25















            This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.

            – neirbowj
            Dec 30 '15 at 21:28





            This is highly relevant in understanding why this fingerprint will not match those in DNS SSHFP records, because they use SHA-1 or SHA-256 digests.

            – neirbowj
            Dec 30 '15 at 21:28




            1




            1





            @Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to use awk '{print $2}' /path/to/keyfile.pub or similar.

            – dave_thompson_085
            Jun 12 '16 at 19:41





            @Liczyrzepa the publickey field may or may not have '==' at the end depending on the key type and bitsize; safer and IMO easier to use awk '{print $2}' /path/to/keyfile.pub or similar.

            – dave_thompson_085
            Jun 12 '16 at 19:41




            10




            10





            This is the only answer that explains how the fingerprint is calculated

            – greuze
            Sep 29 '16 at 14:34





            This is the only answer that explains how the fingerprint is calculated

            – greuze
            Sep 29 '16 at 14:34




            1




            1





            However in Linux Mint the command is: cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum

            – greuze
            Sep 29 '16 at 14:40





            However in Linux Mint the command is: cat id_rsa.pub | cut -d' ' -f2 | base64 -d | md5sum

            – greuze
            Sep 29 '16 at 14:40











            0














            ssh-keygen -r host.name.com


            Will output the fingerprints for all configured public keys on an sshd instance.



            These can then be put into DNS SSHFP records.






            share|improve this answer




























              0














              ssh-keygen -r host.name.com


              Will output the fingerprints for all configured public keys on an sshd instance.



              These can then be put into DNS SSHFP records.






              share|improve this answer


























                0












                0








                0







                ssh-keygen -r host.name.com


                Will output the fingerprints for all configured public keys on an sshd instance.



                These can then be put into DNS SSHFP records.






                share|improve this answer













                ssh-keygen -r host.name.com


                Will output the fingerprints for all configured public keys on an sshd instance.



                These can then be put into DNS SSHFP records.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 26 '17 at 4:32









                Mike SchrollMike Schroll

                1012




                1012






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f421997%2fwhat-is-a-ssh-key-fingerprint-and-how-is-it-generated%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    How to make a Squid Proxy server?

                    Is this a new Fibonacci Identity?

                    19世紀