This Question asks about getting the fingerprint of a SSH key while generating the new key with ssh-keygen.
But how does one get determine the fingerprint of an existing public key in a .pub file?
➥ How to get:
- SHA256 hash of an existing key?
Something like this:SHA256:3VvabBNtRF0XEpYRFnIrhHX6tKZq/vzU+heb3dCYp+0 - MD5 (is it MD5?) of an existing key?
Something like this:b6:bf:18:b8:72:83:b7:fb:7d:08:98:72:1f:9f:05:27 - Randomart for an existing key?
Something like this:
+--[ RSA 2048]----+ | o=. | | o o++E | | + . Ooo. | | + O B.. | | = *S. | | o | | | | | | | +-----------------+ 13 Answers
In recent versions of ssh-keygen, one gets an RSA public key fingerprint on Unix-based systems with something like:
$ ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub
where the path refers to a public key file.
Install openssh and openssl packages which contain the commands.
# get the SHA256 and ascii art ssh-keygen -l -v -f /path/to/publickey # get the MD5 for private key openssl pkey -in /path/to/privatekey -pubout -outform DER | openssl md5 -c # get the MD5 for public key openssl pkey -in /path/to/publickey -pubin -pubout -outform DER | openssl md5 -c The above works if you have access to the remote host. If not, to get the default sha256 hashes and Art from the remote host 'pi' (for example) you can do this:
$ ssh-keyscan pi | ssh-keygen -lvf - # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA) +---[RSA 2048]----+ | .+=+= | | +.oo% | | ..+ * * | | .oB . . | | .oB.oS | | E+=+ @ | | ..o.= B | | .B o | | .+.+ | +----[SHA256]-----+ 256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA) +---[ECDSA 256]---+ | . . . | | .=++. . .| | o&ooo . . o | |+..+ *o=o o + + E| |+.. . +.So o = | | . . o . . | |o.o . | |*o.. | |BO+ | +----[SHA256]-----+ 256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519) +--[ED25519 256]--+ | . ..==o | | o . o *.*. | | = + + + % | | o = = + * + | | o + S B + | | + + B E | | = o .| | o +..o| | ..+oo| +----[SHA256]-----+ $ _ If instead you'd like the md5 hash:
$ ssh-keyscan pi | ssh-keygen -E md5 -lf - # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 # pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4 256 MD5:b3:74:1f:a7:e8:96:ee:e0:5d:7e:31:4d:5c:7c:5c:d2 pi (ECDSA) 2048 MD5:cb:1f:5b:85:fb:6f:c9:89:06:68:ce:96:88:f6:11:ed pi (RSA) 256 MD5:d7:93:a1:8e:53:06:4d:fe:41:5c:fa:4b:70:84:c3:88 pi (ED25519) $ _ If you are on the actual host and want to get them, then you just sudo the part after the pipe like this:
$ sudo ssh-keygen -E sha256 -lf /etc/ssh/ssh_host_ecdsa_key 256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U root@raspberrypi (ECDSA) $ _ And sha256 is the default, so you'd use 'md5' to get that.
Hope that helps.
Patrick