Get the fingerprint of an existing SSH public key

Question

This Question asks about getting the fingerprint of a SSH key while generating the new key with ssh-keygen.

But how does one get determine the fingerprint of an existing public key in a .pub file?

➥ How to get:

SHA256 hash of an existing key?
Something like this: SHA256:3VvabBNtRF0XEpYRFnIrhHX6tKZq/vzU+heb3dCYp+0 [email protected]
MD5 (is it MD5?) of an existing key?
Something like this: b6:bf:18:b8:72:83:b7:fb:7d:08:98:72:1f:9f:05:27
Randomart for an existing key?
Something like this:

+--[ RSA 2048]----+
|       o=.       |
|    o  o++E      |
|   + . Ooo.      |
|    + O B..      |
|     = *S.       |
|      o          |
|                 |
|                 |
|                 |
+-----------------+

GitHub uses sha256 so just remove the -E md5 arguments
– Gunar Gessner
Commented Jun 1, 2021 at 14:06 — Gunar Gessner, Commented Jun 1, 2021 at 14:06

Cris P · Accepted Answer · 2019-04-16 04:33:20Z

36

In recent versions of ssh-keygen, one gets an RSA public key fingerprint on Unix-based systems with something like:

$ ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub

where the path refers to a public key file.

answered Apr 16, 2019 at 4:33

Cris P

4614 silver badges3 bronze badges

Or from known_hosts, where keytype is e.g. ecdsa-sha2 or ssh-rsa: cat ~/.ssh/known_hosts | grep ^myhost.com | grep ecdsa-sha2 | ssh-keygen -l -E sha256 -f -
– beerbajay
Commented Jan 28, 2023 at 4:09

Add a comment |

strobelight · Accepted Answer · 2018-11-28 03:50:53Z

20

Install openssh and openssl packages which contain the commands.

# get the SHA256 and ascii art    
ssh-keygen -l -v -f /path/to/publickey

# get the MD5 for private key
openssl pkey -in /path/to/privatekey -pubout -outform DER | openssl md5 -c

# get the MD5 for public key
openssl pkey -in /path/to/publickey -pubin -pubout -outform DER | openssl md5 -c

answered Nov 28, 2018 at 3:50

strobelight

7713 silver badges13 bronze badges

The first line answers the SHA256 and ASCII art. The other two lines don't work for me; openssl complains about PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: PUBLIC KEY. Adapting the first line to replace -v with -E md5, as in Cris P's answer, gives the expected MD5 fingerprint. Note that the MD5 the OP is after is the fingerprint, and I don't think that'd be the output of the other two lines, even if they worked.
– Pedro Gimeno
Commented Jan 9, 2023 at 11:33
Same here. The first command works perfectly, didn't bother trying the other two.
– quantumferret
Commented May 15, 2023 at 13:03

Add a comment |

patrick · Accepted Answer · 2019-01-06 04:19:53Z

The above works if you have access to the remote host. If not, to get the default sha256 hashes and Art from the remote host 'pi' (for example) you can do this:

$ ssh-keyscan pi | ssh-keygen -lvf -
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
2048 SHA256:P/Da4p1YbLDgnbGIkVE9SykONlVynPkwwap54RMW6+A pi (RSA)
+---[RSA 2048]----+
|     .+=+=       |
|    +.oo%        |
|   ..+ * *       |
|    .oB . .      |
|   .oB.oS        |
|    E+=+ @       |
|    ..o.= B      |
|        .B o     |
|       .+.+      |
+----[SHA256]-----+
256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U pi (ECDSA)
+---[ECDSA 256]---+
|  .  . .         |
|  .=++. .       .|
|   o&ooo .   . o |
|+..+ *o=o o + + E|
|+.. . +.So o =   |
| . .   o  . .    |
|o.o        .     |
|*o..             |
|BO+              |
+----[SHA256]-----+
256 SHA256:cpQtotFCbt4TXxa1474whR1Wkk3gOczhumE23s9pbxc pi (ED25519)
+--[ED25519 256]--+
|    .     ..==o  |
|   o .   o *.*.  |
|    = + + + %    |
|   o = = + * +   |
|    o + S B +    |
|       + + B   E |
|          = o   .|
|           o +..o|
|            ..+oo|
+----[SHA256]-----+
$ _

If instead you'd like the md5 hash:

$ ssh-keyscan pi | ssh-keygen -E md5 -lf -
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
# pi:22 SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u4
256 MD5:b3:74:1f:a7:e8:96:ee:e0:5d:7e:31:4d:5c:7c:5c:d2 pi (ECDSA)
2048 MD5:cb:1f:5b:85:fb:6f:c9:89:06:68:ce:96:88:f6:11:ed pi (RSA)
256 MD5:d7:93:a1:8e:53:06:4d:fe:41:5c:fa:4b:70:84:c3:88 pi (ED25519)
$ _

If you are on the actual host and want to get them, then you just sudo the part after the pipe like this:

$ sudo ssh-keygen -E sha256 -lf /etc/ssh/ssh_host_ecdsa_key
256 SHA256:eMaAlpPMA2/24ajrpHuiL7mCFCJycZNfuNfyB3cyx+U root@raspberrypi (ECDSA)
$ _

And sha256 is the default, so you'd use 'md5' to get that.

Hope that helps.

Patrick

Mike R · Accepted Answer · 2022-08-30 00:10:45Z

If you need just the fingerprint without anything else for something like adding your key to digital ocean via doctl and a new server you can do this.

FINGERPRINT="$(ssh-keygen -l -E md5 -f ~/.ssh/${DROPLET_NAME}.pub | awk '{print $2}'| sed 's|MD5:||')"

DROPLET_TAG="machineid-${tagname}"
DROPLET_NAME="${tagname/_/-}"
ssh-keygen -t ed25519 -f ~/.ssh/${DROPLET_NAME} -P "" -C "${DROPLET_NAME}"
export SSH_PUB="$(cat ~/.ssh/${DROPLET_NAME}.pub)"
export SSH_PRIVATE="$(cat ~/.ssh/${DROPLET_NAME})"
FINGERPRINT="$(ssh-keygen -l -E md5 -f ~/.ssh/${DROPLET_NAME}.pub | awk '{print $2}'| sed 's|MD5:||')"
doctl compute ssh-key create ${DROPLET_NAME} --public-key "$(cat ~/.ssh/${DROPLET_NAME}.pub)"

Stack Exchange Network

Get the fingerprint of an existing SSH public key

4 Answers 4

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
ssh
ssh-keys
hashing
.

Linked

Hot Network Questions

Get the fingerprint of an existing SSH public key

4 Answers 4

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged sshssh-keyshashing.

Linked

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
ssh
ssh-keys
hashing
.