1

I'm encountering an interesting scenario where the generated fingerprint for my imported/created ed25519 SSH key is different from the one reported by ssh-keygen in the AWS EC2 Key console.

For example, consider a random key I generated for which the ssh-keygen fingerprint is:

64OuseEfObM7yYiEyK7u42qN1kHj6/JGnpro1XqO4pM

And AWS generated the fingerprint as such:

64OuseEfObM7yYiEyK7u42qN1kHj6/JGnpro1XqO4pM=

So, there is extra padding for some reason. Does anyone know why that is so? Alternatively, does anyone know how AWS generates these fingerprints and is it just fine to trim that last = away? I mean padding is mostly optional, but I would like to generate the same fingerprint so I can compare them.

Also, note that this is only for ed25519 keys. Normal RSA works fine. I know they do some wonky stuff converting it to OpenSSL then back or something like that. But that's not the case for ed25519 I think...

Cheers!

Hannibal
  • 1,078
  • 2
  • 12
  • 24
  • 1
    See [this post](https://stackoverflow.com/questions/4080988/why-does-base64-encoding-require-padding-if-the-input-length-is-not-divisible-by) - it has to do with the Base64 encoding. It shouldn't matter. – stdunbar Apr 22 '22 at 14:25
  • The problem is, that it matters because any kind of local algorithm I'm running isn't resulting in the same encoding, aka they don't convert to padding by 3s. So when I compare, I either have to trim that by hand or add it to mine by doing something like `string+"="` which is a bit ugly. :) The important part is that I can't reproduce this same result they are having. – Hannibal Apr 22 '22 at 14:29
  • But I guess, you're right. I can just trim the padding as I don't concatenate it to anything so it should be fine. But it bothers me that I can't reproduce why they are getting a different encoding. :D – Hannibal Apr 22 '22 at 14:35

1 Answers1

1

I got it.

From other posts here as well, but the answer is that they are using a base64 sha256 openssl combo like this:

$ cat ~/.ssh/ec2-key.pub | base64 -w0 -d | openssl dgst -binary -sha256 | base64 -w0; echo

Where the pub key was generated from the downloaded ec2 pem key like this:

ssh-keygen -y -f ~/.ssh/ec2-key.pem > ~/.ssh/ec2-key.pub
Hannibal
  • 1,078
  • 2
  • 12
  • 24