Check SSH fingerprint

Display the default fingerprint#

Of a key#

You can either use the public key or private key to obtain the fingerprint (default is SHA256 in base64).

$ ssh-keygen -lf ./id_ed25519
256 SHA256:jISolPDpdvGclfo477aZAl63U5LC+1fSe7OSv9f+STI noraj@machine (ED25519)
$ ssh-keygen -lf ./id_ed25519.pub 
256 SHA256:jISolPDpdvGclfo477aZAl63U5LC+1fSe7OSv9f+STI noraj@machine (ED25519)

ssh-keygen option:

• -f filename Specifies the filename of the key file.
• -l Show fingerprint of specified public key file.

Of a ssh server key#

When you connect to a machine for the first time, you do not have the fingerprint of the server key in your known_hosts, so ssh has nothing to compare it to, so it asks you to check it manually.

$ ssh sshtron.zachlatta.com
The authenticity of host 'sshtron.zachlatta.com (149.28.243.27)' can't be established.
RSA key fingerprint is SHA256:Z2hwpVYVYT1MA8w35kf/V/Q9KBDv0TR14QmZWcoLrsE.
Are you sure you want to continue connecting (yes/no)? no

Display fingerprint in other formats#

Of a key#

You can also display the fingerprint using another algorithm (here md5 in hexadecimal).

$ ssh-keygen -l -E md5 -f id_ed25519.pub 
256 MD5:39:2a:e9:63:de:76:5a:ff:47:46:b5:ef:2b:75:f6:1c noraj@machine (ED25519)

ssh-keygen option:

• -E fingerprint_hash Specifies the hash algorithm used when displaying key fingerprints. Valid options are: "md5" and "sha256". The default is "sha256".

Of a ssh server key#

You can also do the same when you connect to a server:

$ ssh -o FingerprintHash=md5 sshtron.zachlatta.com
The authenticity of host 'sshtron.zachlatta.com (149.28.243.27)' can't be established.
RSA key fingerprint is MD5:61:df:29:bd:02:40:b8:4b:d1:ab:33:10:e8:3c:fa:41.
Are you sure you want to continue connecting (yes/no)? no

ASCII Art representation#

You can use hashes to check a server or a key fingerprint programmatically but when you want to check by eye it is easier to compare an ASCII Art representation.

Of a key#

To display the ASCII art representation just add the -v option after the -l one.

$ ssh-keygen -lvf id_ed25519.pub
256 SHA256:jISolPDpdvGclfo477aZAl63U5LC+1fSe7OSv9f+STI noraj@machine (ED25519)
+--[ED25519 256]--+
|.                |
|...o .   .       |
| o+ o . o        |
|.o   = *         |
|. o ..* S. .     |
| . .. +o+ o o    |
|   . oo+.+ o E ..|
|    . oo+o. + * +|
|       =B+   ++B+|
+----[SHA256]-----+

ssh-keygen option:

• -l If combined with -v, a visual ASCII art representation of the key is supplied with the fingerprint.

Of a ssh server key#

With ssh the option is -o VisualHostKey=yes:

$ ssh -o VisualHostKey=yes sshtron.zachlatta.com
The authenticity of host 'sshtron.zachlatta.com (149.28.243.27)' can't be established.
RSA key fingerprint is SHA256:Z2hwpVYVYT1MA8w35kf/V/Q9KBDv0TR14QmZWcoLrsE.
+---[RSA 2048]----+
|         .++*@O+o|
|         =..*+%.=|
|      . + .+ B.B+|
|       +..o.o.o.*|
|        SEoo.. .+|
|       . oo     o|
|         .      .|
|                 |
|                 |
+----[SHA256]-----+
Are you sure you want to continue connecting (yes/no)? no

Fingerprint via DNS#

It is possible to put the fingerprint in DNS and get ssh to ell you if what it the two fingerprints match.

Configure DNS#

You can use ssh-keygen to display the new entries you need to add to your DNS server.

$ ssh-keygen -r noraj.example.org -f id_ed25519.pub
noraj.example.org IN SSHFP 4 1 71b9fe55d3668dad24d3a934c40ee0d82cb3f793
noraj.example.org IN SSHFP 4 2 8c84a894f0e976f19c95fa38efb699025eb75392c2fb57d27bb392bfd7fe4932
$ ssh-keygen -r noraj.example.org -f id_ed25519.pub -g
noraj.example.org IN TYPE44 \# 22 04 01 71b9fe55d3668dad24d3a934c40ee0d82cb3f793
noraj.example.org IN TYPE44 \# 34 04 02 8c84a894f0e976f19c95fa38efb699025eb75392c2fb57d27bb392bfd7fe4932

• -r hostname Print the SSHFP fingerprint resource record named hostname for the specified public key file.
• -g Use generic DNS format when printing fingerprint resource records using the -r command.

Manually check DNS entries#

You can check SSHFP records using drill (dig replacement).

$ drill anoncvs.netbsd.org SSHFP
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25844
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; anoncvs.netbsd.org.	IN	SSHFP

;; ANSWER SECTION:
anoncvs.netbsd.org.	86400	IN	SSHFP	3 1 7a667d57b6d5f559f136fa9537605081452930ef
anoncvs.netbsd.org.	86400	IN	SSHFP	1 1 198c34a92fc0b2ab1da52b688c2f191d2d960c09

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 149 msec
;; SERVER: 192.168.1.254
;; WHEN: Wed Dec 19 22:55:13 2018
;; MSG SIZE  rcvd: 104

Automatic check with ssh#

To make ssh check if the ssh fingerprint match the one displayed in the DNS record you can use the -o VerifyHostKeyDNS=ask option.

$ ssh -o VerifyHostKeyDNS=ask anoncvs.netbsd.org
The authenticity of host 'anoncvs.netbsd.org (199.233.217.198)' can't be established.
RSA key fingerprint is SHA256:oeLj1lbu1HBb/Mc2ERoP11g8JDFnrHWvSvPTXOu9bXw.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? no

Or add VerifyHostKeyDNS ask in /etc/ssh/ssh_config.

Go deeper#

The Algorithm Number 1 is for RSA, 2 is for DSS (DSA), 3 is for ECDSA and 4 is for Ed25519. The Fingerprint Type type 1 is for SHA-1 and type 2 is for SHA-256.

• RFC 4255 - Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
• RFC 6594 - Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records
• RFC 7479 - Using Ed25519 in SSHFP Resource Records

Credit#

Source: Checking ssh public key fingerprints