Check SSH fingerprint

Table of contents
  1. ๐Ÿ”—Display the default fingerprint
    1. ๐Ÿ”—Of a key
    2. ๐Ÿ”—Of a ssh server key
  2. ๐Ÿ”—Display fingerprint in other formats
    1. ๐Ÿ”—Of a key
    2. ๐Ÿ”—Of a ssh server key
    3. ๐Ÿ”—ASCII Art representation
    4. ๐Ÿ”—Of a key
    5. ๐Ÿ”—Of a ssh server key
  3. ๐Ÿ”—Fingerprint via DNS
    1. ๐Ÿ”—Configure DNS
    2. ๐Ÿ”—Manually check DNS entries
    3. ๐Ÿ”—Automatic check with ssh
  4. ๐Ÿ”—Go deeper
  5. ๐Ÿ”—Credit

๐Ÿ”—Display the default fingerprint

๐Ÿ”—Of a key

You can either use the public key or private key to obtain the fingerprint (default is SHA256 in base64).

1
2
3
4
$ ssh-keygen -lf ./id_ed25519
256 SHA256:jISolPDpdvGclfo477aZAl63U5LC+1fSe7OSv9f+STI noraj@machine (ED25519)
$ ssh-keygen -lf ./id_ed25519.pub
256 SHA256:jISolPDpdvGclfo477aZAl63U5LC+1fSe7OSv9f+STI noraj@machine (ED25519)

ssh-keygen option:

  • -f filename Specifies the filename of the key file.
  • -l Show fingerprint of specified public key file.

๐Ÿ”—Of a ssh server key

When you connect to a machine for the first time, you do not have the fingerprint of the server key in your known_hosts, so ssh has nothing to compare it to, so it asks you to check it manually.

1
2
3
4
$ ssh sshtron.zachlatta.com
The authenticity of host 'sshtron.zachlatta.com (149.28.243.27)' can't be established.
RSA key fingerprint is SHA256:Z2hwpVYVYT1MA8w35kf/V/Q9KBDv0TR14QmZWcoLrsE.
Are you sure you want to continue connecting (yes/no)? no

๐Ÿ”—Display fingerprint in other formats

๐Ÿ”—Of a key

You can also display the fingerprint using another algorithm (here md5 in hexadecimal).

1
2
$ ssh-keygen -l -E md5 -f id_ed25519.pub 
256 MD5:39:2a:e9:63:de:76:5a:ff:47:46:b5:ef:2b:75:f6:1c noraj@machine (ED25519)

ssh-keygen option:

  • -E fingerprint_hash Specifies the hash algorithm used when displaying key fingerprints. Valid options are: "md5" and "sha256". The default is "sha256".

๐Ÿ”—Of a ssh server key

You can also do the same when you connect to a server:

1
2
3
4
$ ssh -o FingerprintHash=md5 sshtron.zachlatta.com
The authenticity of host 'sshtron.zachlatta.com (149.28.243.27)' can't be established.
RSA key fingerprint is MD5:61:df:29:bd:02:40:b8:4b:d1:ab:33:10:e8:3c:fa:41.
Are you sure you want to continue connecting (yes/no)? no

๐Ÿ”—ASCII Art representation

You can use hashes to check a server or a key fingerprint programmatically but when you want to check by eye it is easier to compare an ASCII Art representation.

๐Ÿ”—Of a key

To display the ASCII art representation just add the -v option after the -l one.

1
2
3
4
5
6
7
8
9
10
11
12
13
$ ssh-keygen -lvf id_ed25519.pub
256 SHA256:jISolPDpdvGclfo477aZAl63U5LC+1fSe7OSv9f+STI noraj@machine (ED25519)
+--[ED25519 256]--+
|. |
|...o . . |
| o+ o . o |
|.o = * |
|. o ..* S. . |
| . .. +o+ o o |
| . oo+.+ o E ..|
| . oo+o. + * +|
| =B+ ++B+|
+----[SHA256]-----+

ssh-keygen option:

  • -l If combined with -v, a visual ASCII art representation of the key is supplied with the fingerprint.

๐Ÿ”—Of a ssh server key

With ssh the option is -o VisualHostKey=yes:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ ssh -o VisualHostKey=yes sshtron.zachlatta.com
The authenticity of host 'sshtron.zachlatta.com (149.28.243.27)' can't be established.
RSA key fingerprint is SHA256:Z2hwpVYVYT1MA8w35kf/V/Q9KBDv0TR14QmZWcoLrsE.
+---[RSA 2048]----+
| .++*@O+o|
| =..*+%.=|
| . + .+ B.B+|
| +..o.o.o.*|
| SEoo.. .+|
| . oo o|
| . .|
| |
| |
+----[SHA256]-----+
Are you sure you want to continue connecting (yes/no)? no

๐Ÿ”—Fingerprint via DNS

It is possible to put the fingerprint in DNS and get ssh to ell you if what it the two fingerprints match.

๐Ÿ”—Configure DNS

You can use ssh-keygen to display the new entries you need to add to your DNS server.

1
2
3
4
5
6
$ ssh-keygen -r noraj.example.org -f id_ed25519.pub
noraj.example.org IN SSHFP 4 1 71b9fe55d3668dad24d3a934c40ee0d82cb3f793
noraj.example.org IN SSHFP 4 2 8c84a894f0e976f19c95fa38efb699025eb75392c2fb57d27bb392bfd7fe4932
$ ssh-keygen -r noraj.example.org -f id_ed25519.pub -g
noraj.example.org IN TYPE44 \# 22 04 01 71b9fe55d3668dad24d3a934c40ee0d82cb3f793
noraj.example.org IN TYPE44 \# 34 04 02 8c84a894f0e976f19c95fa38efb699025eb75392c2fb57d27bb392bfd7fe4932
  • -r hostname Print the SSHFP fingerprint resource record named hostname for the specified public key file.
  • -g Use generic DNS format when printing fingerprint resource records using the -r command.

๐Ÿ”—Manually check DNS entries

You can check SSHFP records using drill (dig replacement).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ drill anoncvs.netbsd.org SSHFP
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25844
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; anoncvs.netbsd.org. IN SSHFP

;; ANSWER SECTION:
anoncvs.netbsd.org. 86400 IN SSHFP 3 1 7a667d57b6d5f559f136fa9537605081452930ef
anoncvs.netbsd.org. 86400 IN SSHFP 1 1 198c34a92fc0b2ab1da52b688c2f191d2d960c09

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 149 msec
;; SERVER: 192.168.1.254
;; WHEN: Wed Dec 19 22:55:13 2018
;; MSG SIZE rcvd: 104

๐Ÿ”—Automatic check with ssh

To make ssh check if the ssh fingerprint match the one displayed in the DNS record you can use the -o VerifyHostKeyDNS=ask option.

1
2
3
4
5
$ ssh -o VerifyHostKeyDNS=ask anoncvs.netbsd.org
The authenticity of host 'anoncvs.netbsd.org (199.233.217.198)' can't be established.
RSA key fingerprint is SHA256:oeLj1lbu1HBb/Mc2ERoP11g8JDFnrHWvSvPTXOu9bXw.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? no

Or add VerifyHostKeyDNS ask in /etc/ssh/ssh_config.

๐Ÿ”—Go deeper

The Algorithm Number 1 is for RSA, 2 is for DSS (DSA), 3 is for ECDSA and 4 is for Ed25519. The Fingerprint Type type 1 is for SHA-1 and type 2 is for SHA-256.

๐Ÿ”—Credit

Source: Checking ssh public key fingerprints

Share