Just created small bash script which will print table with fingerprints for all key ciphers allowed on server (according to /etc/ssh/sshd_config
) in both SSH-256
and MD5
algo. Here is an example output:
❯ ssh-fingerprints
+---------+------------------------------------------------------+
| Cipher | Algo and Fingerprint |
+---------+------------------------------------------------------+
| RSA | MD5:65:cc:63:49:ac:d6:a6:a8:5c:ab:58:12:f6:84:a4:75 |
| RSA | SHA-256:jlDPKCCRr1TkufVsZJf02ejXNQ7RB/vg09uGwKeSwnU |
+---------+------------------------------------------------------+
| ECDSA | MD5:fc:fa:b1:4a:6a:4f:4e:15:24:a0:28:14:d8:13:f2:58 |
| ECDSA | SHA-256:XqtbaJcdqem6s/R+T9NpXA7QKCTyPfzxC3f+2O/vfmY |
+---------+------------------------------------------------------+
| ED25519 | MD5:03:1e:8e:0e:a8:4a:08:7a:49:35:af:2f:99:b8:9c:5b |
| ED25519 | SHA-256:HV5r6SFytqauiUrWcXd3zDGMzCYHj6RR6tKj0S0UhFI |
+---------+------------------------------------------------------+
+---[RSA 3072]----+ +---[RSA 3072]----+ +---[ECDSA 256]---+ +---[ECDSA 256]---+ +--[ED25519 256]--+ +--[ED25519 256]--+
| .. | |.... . .o. | |o+E. ... . | | . . . | | | | .Eo+.+ |
| +.. | |..... . o + .o.| |o=o. . o | | o = o | | | | . . * * o |
| o E oO | |..oo ..o o + oo.o| |o o.. . | | . = + . | | o o | | . + + O + |
| + o o+o. | | o..o.=+. .. .++o| | . . . | | + = | | . . * o | | = + * = o |
|. + . oSo | |.. .o .+S ..E.+oo| | S . | | S . = + o| |o o . + S | | . + S O * + |
| . + o . | |. o.+ . o.+ oo| | o | | . o * +.Bo| |=. + . . | | . o = B * o |
| ..oo . | | . + o . ..o| | + o | | = B . +++| |+.o.Eo | | o . . o . |
| +o . | | . . . | | .* . o | | o.* ...+E| |oo.o+. | | o . . o |
| . .. | | | | ...=oo | | *B+. .o*%| |. =o .. | | ... ooo |
+------[MD5]------+ +----[SHA256]-----+ +------[MD5]------+ +----[SHA256]-----+ +------[MD5]------+ +----[SHA256]-----+
Script will run also on servers with SSH
version below 6.8
(before -E md5
option was added).
Edit: Updated versions for even more recent versions of SSH which switched default ciphers now with ASCII images support.
Edit: Merged Algo and Fingerprint to one column so it is easier to Copy&Paste verification available in recent SSH clients.
You can get recent version of this script at: https://github.com/kepi/ssh-fingerprints
#! /bin/bash
#
# ssh-fingerprints
#
# Source: https://github.com/kepi/ssh-fingerprints
#
# MIT License
# Copyright 2018 Ondra Kudlík (Kepi) <[email protected]>
#
set -eu
# standard sshd config path
readonly SSHD_CONFIG=/etc/ssh/sshd_config
readonly LINE=" +---------+------------------------------------------------------+"
# Warning: don't use in a pipe, because a pipe runs in a
# subshell and thus would throw away changes to global variables
function parse_fp {
local algo=$1 n=0 filter line
if [ "${2:-}" = old ] ; then
# Older OpenSSH versions don't include the hash algorithm prefix
filter="s/^\\([^ =]*\\).*/\\1/"
else
# Newer OpenSSH versions do include the hash algorithm prefix; remove
filter="s/^${algo^^}:\\([^ =]*\\).*/\\1/"
fi
while read -r line
do
n=$((n + 1))
if [[ $n -eq 1 ]] ; then
ALGOS[$algo]=$(echo "$line" | sed "$filter")
else
# Alter old versions' ASCII art box to include algorithm
if [ "$line" = "+-----------------+" ] ; then
case $algo in
md5) line="+------[MD5]------+" ;;
sha256) line="+----[SHA256]-----+" ;;
esac
fi
ASCII[$n]="${ASCII[$n]:-} ${line}"
fi
done
}
# *** MAINLINE ***
# header
echo "$LINE"
printf " | %-7s | %-52s |\n" "Cipher" "Algo and Fingerprint"
echo "$LINE"
declare -A ALGOS
declare -a ASCII
# fingerprints
hostkey_files=$(awk '/^HostKey/ { print $2 ".pub" }' $SSHD_CONFIG)
if [ -z "$hostkey_files" ] ; then
# If HostKey not set in $SSHD_CONFIG, use the default
hostkey_files='/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key.pub'
fi
# (Fake piping into while loop by using a redirect, because a pipe runs in a
# subshell and thus would throw away changes to global variables)
while read -r host_key
do
cipher=$(echo "$host_key" |
sed -r 's/^.*ssh_host_([^_]+)_key\.pub$/\1/' |
tr '[:lower:]' '[:upper:]')
if [ "$cipher" = DSA ] ; then
continue
fi
if [[ -f "$host_key" ]] ; then
if ssh-keygen -E md5 -l -f "$host_key" &>/dev/null
then
for algo in md5 sha256 ; do
parse_fp $algo < <(ssh-keygen -E $algo -lv -f "$host_key" |
sed '/^[0-9]/ s/^[^ ]* \([^ ]*\).*/\1/')
done
else
parse_fp md5 old < <(ssh-keygen -lv -f "$host_key" |
sed '/^[0-9]/ s/^[^ ]* \([^ ]*\).*/\1/')
# Note: no ASCII art
# TO-DO: Use https://github.com/atoponce/keyart Python script
parse_fp sha256 old < <(cut -f2 -d' ' "$host_key" |
base64 -d |
openssl dgst -sha256 -binary |
base64)
fi
printf " | %-7s | %-52s |\n" "$cipher" "MD5:${ALGOS[md5]}"
printf " | %-7s | %-52s |\n" "$cipher" "SHA256:${ALGOS[sha256]}"
echo "$LINE"
fi
done < <(echo "$hostkey_files")
echo
for line in "${ASCII[@]}"; do
echo "$line"
done
This is just pretty print using information from JonnyJD
's answer. Thanks.