74

It seems that openssh has changed the way it displays key fingerprints.

I am trying to ssh from a client machine to a server:

  • client: ubuntu 14.04 running OpenSSH 6.6.1
  • server: FreeBSD running OpenSSH 7.2p2.

The client reports the md5 hash of the server's key as a sequence of 16 pairs of hex digits, like this:

a7:b1:3e:3d:84:24:a2:5a:91:5f:6f:e9:cf:dd:2b:6a

The server defaults to using the sha256 hash, but thanks to this answer I can force it to give the sha1 hash by running:

[root@host /etc/ssh]# ssh-keygen -l -E sha1 -f ssh_host_ecdsa_key.pub

I want the result to look like this:

a7:b1:3e:3d:84:24:a2:5a:91:5f:6f:e9:cf:dd:2b:6a

but instead I get this:

256 SHA1:KIh0ejR4O+RqrSq7JdGAASddRfI root@host.local (ECDSA)

It looks to me like a base64 encoded version of the fingerprint is now being displayed instead of hex digits.

How can I get the checksum of the server's key in the same format as that reported by the (older) client (colon separated hex digits, sha1 hash) so as to check that they are the same?

EDIT: The old version of SSH gives the md5 checksum, not the sha1 checksum as I mistakenly thought. Using that checksum (as the now accepted answer should state) in the -E option gives the desired output.

Community
  • 1
stochastic
  • 993

5 Answers5

100

The client reports the sha1 hash of the server's key as a sequence of 16 pairs of hex digits, like this:

    a7:b1:3e:3d:84:24:a2:5a:91:5f:6f:e9:cf:dd:2b:6a

This is MD5 hash.

As you can see running

ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub

will get you the same fingerprint you need without such harakiri you are explaining in your answer.

Community
  • 1
Jakuje
  • 10,827
9

In cases like this I use the following little script (tested on Debian and Ubuntu):

#!/bin/sh

# Gather the public ssh host keys for the given host
# and for each key print the fingerprint in hex format using the given
# checksum command (e.g. md5sum, sha256sum, ...)

if [ "$#" != 2 ]; then
  echo "usage: $0 hostname checksum_command"
  exit 1
fi

ssh-keyscan $1 2>/dev/null | while read -r line; do
  echo "Scanned key:"
  echo $line
  echo "$2 fingerprint:"
  echo $line | awk '{print $3}' | base64 -d | $2 -b | awk '{print $1}' | sed 's/../&:/g' | sed 's/:$//'
  echo
done

Example usage:

$ myscript host.example.com md5sum
Scanned key:
host.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUXq7vpcEpnZQxxiLw/tdg8ui4LoqbW1O5nGyLtGw49
md5sum fingerprint:
6c:ef:26:f7:98:ad:ed:5b:cc:ff:83:13:46:c9:f6:79

Scanned key:
host.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC4aLMajBvisnWNR2VX5K1KEkNeRmzlcs+svbY6/DiumMTZNtqB5duZjGkMmEbIclHaT7rQG9efAWsNhai5cJVRZ4VX1Gu/TLycEk4OY56MrrWjQYweSUr/W6E0eVCf7gh/ym2vMcevct4373fGDdlogk9Wa97lDV6PUXRy/znxRlo3tBc6KMOZIBoPu8UjeLr2ZPNPjO6hXX/96HbYfboxjhMl5eb8AWR0MGd4qU7RZZa2XhT4/4eSo8h9gEq8V3tasB24fMdw3K+HRiDyZm8uoNq+IrJlC22pBpzxRQtsv0Nd+uC5pK/UPVI3AFfdHMrmn7IHRio8aEaTloM6MRysGMtXE0kFQ/pV2U3TBmK/9wxID83qMDsQeUH4oTyjSJ0dCBuqgVQUg44z5qXVOK7gruvZSTyH7DsIyAXhlvLNwdtXPJ4HPQ90ZxLpiFWYgSPErQgbfgKeFkoSQiSP1M+UMkITCGRKMeUeDINheRJh/5y8+C3DjE54xyI4903ztyI7HqgVTOOFCtf+dlhCuS6+J20PFXEHDMdGCwmPQrKOG9Rb4NBxuvtn7MxJnwnlIu3nhDjr8SlZDOTvuK+bLpc4AZwEsNY7ANKFvj2mqE6hjkhu+x7khg84VQ6BKOmHIQnMrCpqICaNgB7Vz2d183BETrnfKQaPh79G5cQox5vwvw==
md5sum fingerprint:
b2:9c:cd:30:b1:38:e3:d1:17:d6:73:eb:03:9a:80:83

$ myscript host.example.com sha256sum
Scanned key:
host.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC4aLMajBvisnWNR2VX5K1KEkNeRmzlcs+svbY6/DiumMTZNtqB5duZjGkMmEbIclHaT7rQG9efAWsNhai5cJVRZ4VX1Gu/TLycEk4OY56MrrWjQYweSUr/W6E0eVCf7gh/ym2vMcevct4373fGDdlogk9Wa97lDV6PUXRy/znxRlo3tBc6KMOZIBoPu8UjeLr2ZPNPjO6hXX/96HbYfboxjhMl5eb8AWR0MGd4qU7RZZa2XhT4/4eSo8h9gEq8V3tasB24fMdw3K+HRiDyZm8uoNq+IrJlC22pBpzxRQtsv0Nd+uC5pK/UPVI3AFfdHMrmn7IHRio8aEaTloM6MRysGMtXE0kFQ/pV2U3TBmK/9wxID83qMDsQeUH4oTyjSJ0dCBuqgVQUg44z5qXVOK7gruvZSTyH7DsIyAXhlvLNwdtXPJ4HPQ90ZxLpiFWYgSPErQgbfgKeFkoSQiSP1M+UMkITCGRKMeUeDINheRJh/5y8+C3DjE54xyI4903ztyI7HqgVTOOFCtf+dlhCuS6+J20PFXEHDMdGCwmPQrKOG9Rb4NBxuvtn7MxJnwnlIu3nhDjr8SlZDOTvuK+bLpc4AZwEsNY7ANKFvj2mqE6hjkhu+x7khg84VQ6BKOmHIQnMrCpqICaNgB7Vz2d183BETrnfKQaPh79G5cQox5vwvw==
sha256sum fingerprint:
f4:61:58:e4:90:65:c4:70:98:7f:d1:40:0a:d8:d9:79:14:e6:91:dc:b6:ed:91:8c:c0:df:d9:65:db:dd:a0:18

Scanned key:
host.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUXq7vpcEpnZQxxiLw/tdg8ui4LoqbW1O5nGyLtGw49
sha256sum fingerprint:
4b:73:d1:d7:80:87:46:64:56:71:64:10:7a:66:83:9b:c7:58:39:0b:16:74:dd:9b:d9:4b:e5:d5:61:7e:99:45
rpr
  • 748
7

As it turns out, the SSH Cookbook has a way to manually generate keys in the older hex format. I used this on the freebsd server.

awk '{print $2}' key.pub | base64 -d | md5 | sed 's/../&:/g; s/: .*$//'

Breaking this down:

awk '{print $2}' key.pub

print out the second (space separated) column in "key.pub", which is the key itself

base64 -d

the key is base64 encoded. This will output the actual bytes of the key

md5

this is freebsd's equivalent of the 'md5sum -b' that was specified in the recipe on the ssh cookbook page

sed 's/../&:/g; s/: .*$//'

There are two sed commands here:

s/../&:/g;

replace every pair of characters on the line (thanks to the 'g' flag at the end) with that same pair followed by a colon

s/: .*$//'

remove any trailing colon (replace a colon followed by a space followed by anything up to the end of the line with nothing).

stochastic
  • 993
1

ssh -o FingerprintHash=md5 user@host...

FabricioFCarv
  • 127
-1

For keys added to ssh-agent, this command will list their MD5 public key fingerprints:

ssh-add -l -E md5

To print MD5 fingerprints for all public keys in a directory, use this:

find ~/.ssh/ -name *.pub -printf '%f\t' -exec ssh-keygen -l -E md5 -f {} \;

This will also print the file name to make identification easier.

Sergiu
  • 9