Best IT Recipes

Which command do I use to find out what my server’s ECDSA key fingerprint is?

I see all over Google information on how to see the fingerprint of the RSA key, but not the fingerprint of ECDSA.

+66
security linux ssh rsa openssh
Apr 08 2018-12-12T00:
source share
4 answers

Wait, I found it. Run the command:

ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
+102
Apr 08 2018-12-12T00:
source share

With the latest ssh (OpenSSH_6.0p1, OpenSSL 1.0.0j May 10, 2012) I wrote it like this:

 ssh-keyscan -t ecdsa localhost 2>&1 | grep ecdsa localhost ecdsa-sha2-nistp256 AAAAE2VlongKey...=

Notes:

  • if your sshd is running on a user port, add ' -p portNumber ' to the ssh-keyscan command)
  • ssh-keyscan writes to stderr , not to stdout (!), so bash redirection ' 2>&1 ' (may vary depending on your shell)

This is the line I added to my ~/.ssh/known_hosts to authorize ssh requests from localhost for my tests (mainly for gitolite that uses ssh ).



Daniel Boomer confirms in the comments :

  • ssh-keyscan provides the full public key (s) of the SSH server.
  • ssh-keygen output is almost identical to the public key file format.
    Just delete the 1st column (IP address or hostname) and save it or ssh-keygen -l to ssh-keygen -l which represents fingerprint.

Daniel adds:

Show fingerprints of all public server keys stored in ~/.ssh/know_hosts :

 cut -d' ' -f2- ~/.ssh/known_hosts | while read line; do echo "$line" | ssh-keygen -lf-; done
+14
Jul 23 2018-12-12T00:
source share

On my system, I need to specify the MD5 key instead of the default SHA256:

 ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub

This displays a string in a format that matches the error that I saw on the client.

+6
Nov 17 '15 at 18:51
source share

Commands Used

  • Display ascii-art of the public key of the host stored on the server (this must be done on the server side, the one to which you connect via ssh):

     ssh-keygen -l -v -f /etc/ssh/ssh_host_ecdsa_key.pub

    -l : Show the fingerprint of the specified public key file.

    -v : visual (ascii-art)

    -f : file

  • Display ascii-art of the public key of the remote server host (this is done on the client side, the one you connect using ssh):

     ssh -o visualhostkey=yes -o FingerprintHash=md5 <host_server_to_connect>

    -o : option

    visualhostkey : visual (ascii-art)

    FingerprintHash : a hash algorithm to use

What you need to do to verify host / server authentication

Firstly, 1. should be done locally on the server (the one you want to connect to via ssh): it will give you the first ascii-art. Print it or take a picture.

Secondly, 2. must be done on the first SSH connection; this will show the second ascii-art. If ascii-art is the same, then can you answer yes? question (i.e. are Are you sure you want to continue connecting (yes/no) ).

Some more explanation

The first command displays ascii-art, corresponding to the fingerprint of the file that you give as input. The file that you give as input is the public key of the server host . When a client connects (not just the first time), the server will send its public host key. This host public key will be ~/.ssh/known_hosts in ~/.ssh/known_hosts . If the file has a public key, then everything is in order: the host (server) is known, so we go to the next step for user authentication (user authentication is not described in this post). If the public key is not in the file, the client will calculate the fingerprint of this host public key using a hash algorithm (another hash algorithm will give a different fingerprint). This previously calculated fingerprint is displayed (along with ascii-art, if the corresponding option is provided), and you will have to answer yes or no depending on whether you recognize this fingerprint or not (this fingerprint is the host public key image / hash server). If you say yes, then the server’s public key (and not its fingerprint) will be added to the ~/.ssh/known_hosts file.

We may notice that ~/.ssh/known_hosts is located in your home (~) directory because you trust this host (server), but another user may not trust the same way you do. In addition, the public key of the server host is independent of the user, so it is stored in /etc/ssh/ .

The second command displays fingerprint and ascii art of the public key received from host_server_to_connect (according to the hash algorithm specified in the options). This is the same as doing only ssh, but with a lot of visual options, so the connection will continue just like a regular ssh connection.

+1
May 27 '19 at 6:57
source share


More articles:


All Articles