99

I see stuff all over Google on how to see the RSA key fingerprint, but not the ECDSA fingerprint.

trusktr
  • 44,284
  • 53
  • 191
  • 263

4 Answers4

157

Wait, I found it. Run the command:

ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
trusktr
  • 44,284
  • 53
  • 191
  • 263
  • 7
    Note, that this will compute compute the hash of the fingerprint in the preferred format of your server os. Depending on your local os you might need to use the old hash format: ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub This is needed for example when connecting from ubuntu 12.04 to ubuntu 16.04 – Jeff Nov 10 '16 at 13:40
  • This also works on Mac OS (Useful to validate authenticity in remote login). – Jorge Leitao Jun 23 '19 at 07:33
  • 2
    Add `-v` to also display the ASCII art representation. – user0 Jan 12 '21 at 13:58
  • 1
    @user1104372 Is the ascii art useful for anything other than a neat visual? – trusktr Jan 12 '21 at 17:00
  • 1
    @trusktr It helps you *as a human* do a quick sanity check when logging in from a new system https://superuser.com/a/374790/1200989 – Noah May Aug 31 '21 at 02:11
19

With a recent ssh (OpenSSH_6.0p1, OpenSSL 1.0.0j 10 May 2012), I scripted it like this:

ssh-keyscan -t ecdsa localhost 2>&1 | grep ecdsa
localhost ecdsa-sha2-nistp256 AAAAE2VlongKey...=

Notes:

  • if your sshd runs on a custom port, add '-p portNumber' to the ssh-keyscan command)
  • ssh-keyscan writes on stderr, not stdout(!), hence the bash redirection '2>&1' (that can vary depending on your shell)

That is the line I added to my ~/.ssh/known_hosts file in order to authorize ssh requests from localhost for my tests (mainly for gitolite, which uses ssh).

Daniel Böhmer confirms in the comments:

  • ssh-keyscan provides the full public key(s) of the SSH server
  • the output of ssh-keygen is nearly identical to the format of the public key files.
    Just remove the 1st column (IP address or hostname) and save that or pipe it to ssh-keygen -l which presents the fingerprint.

Daniel adds:

Show fingerprints of all server public keys stored in ~/.ssh/know_hosts: 

cut -d' ' -f2- ~/.ssh/known_hosts | while read line; do echo "$line" | ssh-keygen -lf-; done
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • 3
    The question is about the *fingerprint* of the key. ssh-keyscan only provides the (public) key. – aleb Sep 24 '15 at 09:48
  • 1
    Indeed, `ssh-keyscan` provides the full public key(s) of the SSH server. I have a dump of its output and now want to compare that to the fingerprint displayed by `ssh` during first connect. How to do that? – Daniel Böhmer Nov 05 '15 at 13:39
  • 1
    I just found out: the output of `ssh-keygen` is nearly identical to the format of the public key files. Just remove the 1st column (IP address or hostname) and save that or pipe it to `ssh-keygen -l` which presents the fingerprint. I'd still like to know how to make `ssh` display the server's full public key when asking to confirm it. – Daniel Böhmer Nov 05 '15 at 13:51
  • @DanielBöhmer Thank you for your feedback. I have included it in the answer for more visibility. – VonC Nov 05 '15 at 15:14
  • Show fingerprints of all server public keys stored in `~/.ssh/know_hosts`: `cut -d' ' -f2- ~/.ssh/known_hosts | while read line; do echo "$line" | ssh-keygen -lf-; done` – Daniel Böhmer Jan 23 '19 at 17:39
  • 3+ years later, again, thank you :) I have included your latest comment in the answer, for more visibility. – VonC Jan 23 '19 at 17:50
14

Commands used

  • Display ascii-art of the public host key stored on the server (to be done on server side, the one you connect TO via ssh):

    ssh-keygen -l -v -f /etc/ssh/ssh_host_ecdsa_key.pub

    -l: Show fingerprint of specified public key file.

    -v: visual (ascii-art)

    -f: file

  • Display ascii-art of remote server public host key (to be done on client side, the one you connect FROM via ssh):

    ssh -o visualhostkey=yes -o FingerprintHash=md5 <host_server_to_connect>

    -o: option

    visualhostkey: visual (ascii-art)

    FingerprintHash: hash algo to use

What to do to check the authenticity of a host/server

First, 1. is to be done locally on the server (the one you want to connect TO via ssh ): it will give you a first ascii-art. Print it or take a picture.

Second, 2. is to be done at the first SSH connexion; it will display a second ascii-art. If the ascii-art is the same, then you can answer yes to the "do I trust?" question (i.e. Are you sure you want to continue connecting (yes/no)).

Example

  • Server side
$ ssh-keygen -l -v -f /etc/ssh/ssh_host_ecdsa_key.pub
256 2e:a6:b3:27:14:12:0b:79:df:9a:7f:bd:4d:b1:e0:b6   (ECDSA)
+--[ECDSA  256]---+
| .               |
|o o              |
| o + .           |
|  o o .          |
|   . +  S . .    |
|    +  . . . o   |
|   . .o ..o o    |
|    ooo....+     |
|    o= .  E..    |
+-----------------+
  • Client side
$ ssh -o visualhostkey=yes -o FingerprintHash=md5 192.168.12.211
The authenticity of host '192.168.12.211 (192.168.12.211)' can't be established.
ECDSA key fingerprint is MD5:2e:a6:b3:27:14:12:0b:79:df:9a:7f:bd:4d:b1:e0:b6.
+---[ECDSA 256]---+
| .               |
|o o              |
| o + .           |
|  o o .          |
|   . +  S . .    |
|    +  . . . o   |
|   . .o ..o o    |
|    ooo....+     |
|    o= .  E..    |
+------[MD5]------+
Are you sure you want to continue connecting (yes/no)?

Some more explanation

The first command will display the ascii-art corresponding to the fingerprint of the file you give as input. The file you give as input is the public host key of the server. When a client connect (not only for the first time), the server will sent its public host key. This public host key will be searched in ~/.ssh/known_hosts. If the public key is in the file, then it's ok: the host (server) is known, so we move on to the next step to authentificate the user (user auth is not described in this post). If the public key is not in the file, then the client will compute the fingerprint of this public host key with a hash algorithm (a different hash algo will give a different fingerprint). This fingerprint previously calculated is displayed (along with the ascii-art if corresponding option provided) and you will have to answer yes or no depending on you recognising this fingerprint or no (this fingerprint is the image/hash of the public host key of the server). If you say yes, then the bublic key of the server (not its fingerprint) will be added to the file ~/.ssh/known_hosts.

We can notice that ~/.ssh/known_hosts is under you home (~) directory, because you trust this host (server), but a different user may not trust the same as you. Also, the host public key of the server is not user-dependent, so it is stored in /etc/ssh/.

The second command will display the fingerprint and the ascii-art of the public key received from the host_server_to_connect (according to the hash algo given in options). It is the same as doing only ssh, but with more visual options, so the connection will continue the same way as a normal ssh connexion.

Nicolas VERHELST
  • 398
  • 3
  • 13
8

On my system I need to specify an MD5 key instead of the default SHA256:

ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub

This output a string in a format that matched the error I saw on the client.

David Elrod
  • 81
  • 2
  • 2
  • 2
    The `-E` flag was introduced in OpenSSH >6.6, around the time when switching to SHA256 fingerprinting by default. So in the cases where the client displays SHA256 fingerprints, it can't be used to output that format on the server. A way around that: https://superuser.com/a/1030779 – tanius Jun 08 '17 at 22:06