TL;DR
Is there a way to obtain the complete certificate so I can add it to ~/.ssh/known_hosts so Cyberduck knows to trust the server?
Doing ssh-keyscan -t rsa -c localhost on the server is not an option '-c' is not present.
The whole story
I wanted to connect to a server using SSH and SFTP (Cyberduck). I wanted to be sure the server to which I'm connecting is the right one so I computed the Host Key on the server via a browser terminal (it's a hosting). I used this:
# Create the key by scanning it
ssh-keyscan -t rsa localhost > deleteable-hostkey-rsa.pub
# Create the fingerprint
awk '{print $3}' deleteable-hostkey-rsa.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64
#Result example>
abcdefghijklmnopqrstuvwxyz_abcdefghijklmnop=
Then, on my machine I tried connecting using SSH, it prompted to add the key to my ~/.ssh/known_hosts file. At this point, I got the same key as the one I computed earlier so I said 'yes'.
Now, here's the part that through me off. I then tried connecting to Cyberduck and when asked if it should trust the server, I got a different fingerprint (it was clearly using md5) so I computed all keys on the host but none was a match to the one Cyberduck was showing me. So I figured I would always accept so that key would be added to my ~/.ssh/known_hosts. And the keys are different in structure, so I guess the one added by Cyberduck is a complete certificate. Below you can see what I get (I replaced the parts that are equal and different parts so the structure can be understood without posting a certificate).
Host key, FAKE IP
1.1.1.1 ssh-rsa AAAAabcdefghijkSAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_==
Host certificate, FAKE IP
1.1.1.1 ssh-rsa-cert-v01@openssh.com AAAAabcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefSAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_SAME_AAAAAAAAAAAAAAAabcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz_abcdef
I then tried on the server to obtain the complete certificate using ssh-keyscan -t rsa -c localhost but the -c option is not present.
Is there another way to obtain the complete certificate so I can add it to ~/.ssh/known_hosts so Cyberduck knows to trust the server?
Note: I'm using macOS Big Sur (11.6.4) and Cyberduck 8.2.3.
