0

OpenBSDs "ssh-keygen -l" output format has changed in 5.7. How to verify the host key when connecting from older ssh versions?

Until OpenBSD 5.6 the host_keys fingerprint output format was like this:

# ssh-keygen -lf ssh_host_ecdsa_key.pub
256 9d:76:ba:86:80:ef:63:eb:41:2f:13:f3:f4:b5:0b:35  root@bsd.domain.de (ECDSA)

In OpenBSD 5.7 the output format has changed:

# ssh-keygen -lf ssh_host_ecdsa_key.pub
256 SHA256:6vYsd91sIrtVqPXazpPfRxj9QDa+1+Ns2C2lKSUph3c root@bsd.domain.de (ECDSA)

When connecting from a OpenBSD5.7 ssh client to a OpenBSD5.7 sshd, a verification is possible:

# ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:6vYsd91sIrtVqPXazpPfRxj9QDa+1+Ns2C2lKSUph3c.
Are you sure you want to continue connecting (yes/no)?

How do I verify the keys fingerprints when connecting from a OpenBSD 5.6 to a OpenBSD 5.7 machine? Is there a way to convert the output format?

user208383
  • 61
  • 1
  • 1
  • 6

1 Answers1

1

In OpenBSD 5.7 ssh-keygen uses SHA256 for the default fingerprint hash.

You're looking for the MD5 hash of the fingerprint:

# ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub
John Leimon
  • 111
  • 2
  • I cannot confirm this. When I start putty on windows to open a new connection to a OpenBSD5.7host, it sais something like `The server's rsa2 key fingerprint is: ssh-rsa 2048 d6:b5:d6:e2:22:59:5f:d5:15:df:5f:52:2b:4d:e5:6a` After logging in, ' ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub` does not output the same fingerprint. The same applies for ssh clients on Ubuntu instad of putty. – user208383 May 17 '15 at 08:09