Display the default fingerprint#
Of a key#
You can either use the public key or private key to obtain the fingerprint (default is SHA256 in base64).
$ ssh-keygen -lf ./id_ed25519
256 SHA256:jISolPDpdvGclfo477aZAl63U5LC+1fSe7OSv9f+STI noraj@machine (ED25519)
$ ssh-keygen -lf ./id_ed25519.pub
256 SHA256:jISolPDpdvGclfo477aZAl63U5LC+1fSe7OSv9f+STI noraj@machine (ED25519)ssh-keygen option:
-f filenameSpecifies the filename of the key file.-lShow fingerprint of specified public key file.
Of a ssh server key#
When you connect to a machine for the first time, you do not have the fingerprint of the server key in your known_hosts, so ssh has nothing to compare it to, so it asks you to check it manually.
$ ssh sshtron.zachlatta.com
The authenticity of host 'sshtron.zachlatta.com (149.28.243.27)' can't be established.
RSA key fingerprint is SHA256:Z2hwpVYVYT1MA8w35kf/V/Q9KBDv0TR14QmZWcoLrsE.
Are you sure you want to continue connecting (yes/no)? noDisplay fingerprint in other formats#
Of a key#
You can also display the fingerprint using another algorithm (here md5 in hexadecimal).
$ ssh-keygen -l -E md5 -f id_ed25519.pub
256 MD5:39:2a:e9:63:de:76:5a:ff:47:46:b5:ef:2b:75:f6:1c noraj@machine (ED25519)ssh-keygen option:
-E fingerprint_hashSpecifies the hash algorithm used when displaying key fingerprints. Valid options are: "md5" and "sha256". The default is "sha256".
Of a ssh server key#
You can also do the same when you connect to a server:
$ ssh -o FingerprintHash=md5 sshtron.zachlatta.com
The authenticity of host 'sshtron.zachlatta.com (149.28.243.27)' can't be established.
RSA key fingerprint is MD5:61:df:29:bd:02:40:b8:4b:d1:ab:33:10:e8:3c:fa:41.
Are you sure you want to continue connecting (yes/no)? noASCII Art representation#
You can use hashes to check a server or a key fingerprint programmatically but when you want to check by eye it is easier to compare an ASCII Art representation.
Of a key#
To display the ASCII art representation just add the -v option after the -l one.
$ ssh-keygen -lvf id_ed25519.pub
256 SHA256:jISolPDpdvGclfo477aZAl63U5LC+1fSe7OSv9f+STI noraj@machine (ED25519)
+--[ED25519 256]--+
|. |
|...o . . |
| o+ o . o |
|.o = * |
|. o ..* S. . |
| . .. +o+ o o |
| . oo+.+ o E ..|
| . oo+o. + * +|
| =B+ ++B+|
+----[SHA256]-----+ssh-keygen option:
-lIf combined with-v, a visual ASCII art representation of the key is supplied with the fingerprint.
Of a ssh server key#
With ssh the option is -o VisualHostKey=yes:
$ ssh -o VisualHostKey=yes sshtron.zachlatta.com
The authenticity of host 'sshtron.zachlatta.com (149.28.243.27)' can't be established.
RSA key fingerprint is SHA256:Z2hwpVYVYT1MA8w35kf/V/Q9KBDv0TR14QmZWcoLrsE.
+---[RSA 2048]----+
| .++*@O+o|
| =..*+%.=|
| . + .+ B.B+|
| +..o.o.o.*|
| SEoo.. .+|
| . oo o|
| . .|
| |
| |
+----[SHA256]-----+
Are you sure you want to continue connecting (yes/no)? noFingerprint via DNS#
It is possible to put the fingerprint in DNS and get ssh to ell you if what it the two fingerprints match.
Configure DNS#
You can use ssh-keygen to display the new entries you need to add to your DNS server.
$ ssh-keygen -r noraj.example.org -f id_ed25519.pub
noraj.example.org IN SSHFP 4 1 71b9fe55d3668dad24d3a934c40ee0d82cb3f793
noraj.example.org IN SSHFP 4 2 8c84a894f0e976f19c95fa38efb699025eb75392c2fb57d27bb392bfd7fe4932
$ ssh-keygen -r noraj.example.org -f id_ed25519.pub -g
noraj.example.org IN TYPE44 \# 22 04 01 71b9fe55d3668dad24d3a934c40ee0d82cb3f793
noraj.example.org IN TYPE44 \# 34 04 02 8c84a894f0e976f19c95fa38efb699025eb75392c2fb57d27bb392bfd7fe4932-r hostnamePrint the SSHFP fingerprint resource record named hostname for the specified public key file.-gUse generic DNS format when printing fingerprint resource records using the-rcommand.
Manually check DNS entries#
You can check SSHFP records using drill (dig replacement).
$ drill anoncvs.netbsd.org SSHFP
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25844
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; anoncvs.netbsd.org. IN SSHFP
;; ANSWER SECTION:
anoncvs.netbsd.org. 86400 IN SSHFP 3 1 7a667d57b6d5f559f136fa9537605081452930ef
anoncvs.netbsd.org. 86400 IN SSHFP 1 1 198c34a92fc0b2ab1da52b688c2f191d2d960c09
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 149 msec
;; SERVER: 192.168.1.254
;; WHEN: Wed Dec 19 22:55:13 2018
;; MSG SIZE rcvd: 104Automatic check with ssh#
To make ssh check if the ssh fingerprint match the one displayed in the DNS record you can use the -o VerifyHostKeyDNS=ask option.
$ ssh -o VerifyHostKeyDNS=ask anoncvs.netbsd.org
The authenticity of host 'anoncvs.netbsd.org (199.233.217.198)' can't be established.
RSA key fingerprint is SHA256:oeLj1lbu1HBb/Mc2ERoP11g8JDFnrHWvSvPTXOu9bXw.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? noOr add VerifyHostKeyDNS ask in /etc/ssh/ssh_config.
Go deeper#
The Algorithm Number 1 is for RSA, 2 is for DSS (DSA), 3 is for ECDSA and 4 is for Ed25519. The Fingerprint Type type 1 is for SHA-1 and type 2 is for SHA-256.
- RFC 4255 - Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
- RFC 6594 - Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records
- RFC 7479 - Using Ed25519 in SSHFP Resource Records