When I log in to an SSH server/host I get asked whether the hash of its public key is correct, like this:
# ssh 1.2.3.4
The authenticity of host '[1.2.3.4]:22 ([[1.2.3.4]:22)' can't be established.
RSA key fingerprint is SHA256:CxIuAEc3SZThY9XobrjJIHN61OTItAU0Emz0v/+15wY.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
In order to be able to compare, I used this command on the SSH server previously and saved the results to a file on the client:
# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
2048 f6:bf:4d:d4:bd:d6:f3:da:29:a3:c3:42:96:26:4a:41 /etc/ssh/ssh_host_rsa_key.pub (RSA)
For some great reason (no doubt) one of these commands uses a different (newer?) way of displaying the hash, thereby helping man-in-the-middle attackers enormously because it requires a non-trivial conversion to compare these.
How do I compare these two hashes, or better: force one command to use the other's format?
The -E
option to ssh-keygen
is not available on the server.