get SSH key fingerprint in (old) hex format on new version of openssh

It seems that openssh has changed the way it displays key fingerprints.

I am trying to ssh from a client machine to a server:

client: ubuntu 14.04 running OpenSSH 6.6.1
server: FreeBSD running OpenSSH 7.2p2.

The client reports the md5 hash of the server's key as a sequence of 16 pairs of hex digits, like this:

a7:b1:3e:3d:84:24:a2:5a:91:5f:6f:e9:cf:dd:2b:6a

The server defaults to using the sha256 hash, but thanks to this answer I can force it to give the sha1 hash by running:

[root@host /etc/ssh]# ssh-keygen -l -E sha1 -f ssh_host_ecdsa_key.pub

I want the result to look like this:

a7:b1:3e:3d:84:24:a2:5a:91:5f:6f:e9:cf:dd:2b:6a

but instead I get this:

256 SHA1:KIh0ejR4O+RqrSq7JdGAASddRfI root@host.local (ECDSA)

It looks to me like a base64 encoded version of the fingerprint is now being displayed instead of hex digits.

How can I get the checksum of the server's key in the same format as that reported by the (older) client (colon separated hex digits, sha1 hash) so as to check that they are the same?

EDIT: The old version of SSH gives the md5 checksum, not the sha1 checksum as I mistakenly thought. Using that checksum (as the now accepted answer should state) in the -E option gives the desired output.

stochastic

Posted 2016-06-11T22:30:58.260

Reputation: 643

Answers

The client reports the sha1 hash of the server's key as a sequence of 16 pairs of hex digits, like this:
    a7:b1:3e:3d:84:24:a2:5a:91:5f:6f:e9:cf:dd:2b:6a

This is MD5 hash.

As you can see running

ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub

will get you the same fingerprint you need without such harakiri you are explaining in your answer.

Jakuje

Posted 2016-06-11T22:30:58.260

Reputation: 7 981

1Unfortunately, this does not work. My question contains the result of running your suggested command. Newer versions of ssh-keygen give the md5 hash as a (base64 encoded?) string instead of a hex string. "All that harakiri" (an apt description!) is the easiest way i could find to get an old style hex string from the new version of openssh tools. – stochastic – 2016-06-12T12:47:29.727

Unless FreeBSD break something (or removed MD5 support), there is no reason why it should not work. Note that your command lists wrongly sha1 instead of md5! I have outdated Ubuntu version with openssh-6.9, but it works just fine. – Jakuje – 2016-06-12T13:17:04.053

1md5 instead of sha1... not sure how I missed that. That does indeed give matching output. – stochastic – 2016-06-12T13:21:00.817

I have the opposite problem. I have the md5 and want the other format. How do I get it? – Gabriel Staples – 2017-08-03T19:05:59.650

1Works when command is executed on ubuntu. Does not work when command is executed on centos. – Marinos An – 2017-12-12T11:36:51.637

@MarinosAn it depends on which version. CentOS 6 is old and you will get this output by default, CentOS 7 should work this way already. – Jakuje – 2017-12-12T11:42:07.230

As it turns out, the SSH Cookbook has a way to manually generate keys in the older hex format. I used this on the freebsd server.

awk '{print $2}' key.pub | base64 -d | md5 | sed 's/../&:/g; s/: .*$//'

Breaking this down:

awk '{print $2}' key.pub

print out the second (space separated) column in "key.pub", which is the key itself

base64 -d

the key is base64 encoded. This will output the actual bytes of the key

md5

this is freebsd's equivalent of the 'md5sum -b' that was specified in the recipe on the ssh cookbook page

sed 's/../&:/g; s/: .*$//'

There are two sed commands here:

s/../&:/g;

replace every pair of characters on the line (thanks to the 'g' flag at the end) with that same pair followed by a colon

s/: .*$//'

remove any trailing colon (replace a colon followed by a space followed by anything up to the end of the line with nothing).

stochastic

Posted 2016-06-11T22:30:58.260

Reputation: 643

In cases like this I use the following little script (tested on Debian and Ubuntu):

#!/bin/sh

# Gather the public ssh host keys for the given host
# and for each key print the fingerprint in hex format using the given
# checksum command (e.g. md5sum, sha256sum, ...)

if [ "$#" != 2 ]; then
  echo "usage: $0 hostname checksum_command"
  exit 1
fi

ssh-keyscan $1 2>/dev/null | while read -r line; do
  echo "Scanned key:"
  echo $line
  echo "$2 fingerprint:"
  echo $line | awk '{print $3}' | base64 -d | $2 -b | awk '{print $1}' | sed 's/../&:/g' | sed 's/:$//'
  echo
done

Example usage:

$ myscript host.example.com md5sum
Scanned key:
host.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUXq7vpcEpnZQxxiLw/tdg8ui4LoqbW1O5nGyLtGw49
md5sum fingerprint:
6c:ef:26:f7:98:ad:ed:5b:cc:ff:83:13:46:c9:f6:79

Scanned key:
host.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC4aLMajBvisnWNR2VX5K1KEkNeRmzlcs+svbY6/DiumMTZNtqB5duZjGkMmEbIclHaT7rQG9efAWsNhai5cJVRZ4VX1Gu/TLycEk4OY56MrrWjQYweSUr/W6E0eVCf7gh/ym2vMcevct4373fGDdlogk9Wa97lDV6PUXRy/znxRlo3tBc6KMOZIBoPu8UjeLr2ZPNPjO6hXX/96HbYfboxjhMl5eb8AWR0MGd4qU7RZZa2XhT4/4eSo8h9gEq8V3tasB24fMdw3K+HRiDyZm8uoNq+IrJlC22pBpzxRQtsv0Nd+uC5pK/UPVI3AFfdHMrmn7IHRio8aEaTloM6MRysGMtXE0kFQ/pV2U3TBmK/9wxID83qMDsQeUH4oTyjSJ0dCBuqgVQUg44z5qXVOK7gruvZSTyH7DsIyAXhlvLNwdtXPJ4HPQ90ZxLpiFWYgSPErQgbfgKeFkoSQiSP1M+UMkITCGRKMeUeDINheRJh/5y8+C3DjE54xyI4903ztyI7HqgVTOOFCtf+dlhCuS6+J20PFXEHDMdGCwmPQrKOG9Rb4NBxuvtn7MxJnwnlIu3nhDjr8SlZDOTvuK+bLpc4AZwEsNY7ANKFvj2mqE6hjkhu+x7khg84VQ6BKOmHIQnMrCpqICaNgB7Vz2d183BETrnfKQaPh79G5cQox5vwvw==
md5sum fingerprint:
b2:9c:cd:30:b1:38:e3:d1:17:d6:73:eb:03:9a:80:83

$ myscript host.example.com sha256sum
Scanned key:
host.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC4aLMajBvisnWNR2VX5K1KEkNeRmzlcs+svbY6/DiumMTZNtqB5duZjGkMmEbIclHaT7rQG9efAWsNhai5cJVRZ4VX1Gu/TLycEk4OY56MrrWjQYweSUr/W6E0eVCf7gh/ym2vMcevct4373fGDdlogk9Wa97lDV6PUXRy/znxRlo3tBc6KMOZIBoPu8UjeLr2ZPNPjO6hXX/96HbYfboxjhMl5eb8AWR0MGd4qU7RZZa2XhT4/4eSo8h9gEq8V3tasB24fMdw3K+HRiDyZm8uoNq+IrJlC22pBpzxRQtsv0Nd+uC5pK/UPVI3AFfdHMrmn7IHRio8aEaTloM6MRysGMtXE0kFQ/pV2U3TBmK/9wxID83qMDsQeUH4oTyjSJ0dCBuqgVQUg44z5qXVOK7gruvZSTyH7DsIyAXhlvLNwdtXPJ4HPQ90ZxLpiFWYgSPErQgbfgKeFkoSQiSP1M+UMkITCGRKMeUeDINheRJh/5y8+C3DjE54xyI4903ztyI7HqgVTOOFCtf+dlhCuS6+J20PFXEHDMdGCwmPQrKOG9Rb4NBxuvtn7MxJnwnlIu3nhDjr8SlZDOTvuK+bLpc4AZwEsNY7ANKFvj2mqE6hjkhu+x7khg84VQ6BKOmHIQnMrCpqICaNgB7Vz2d183BETrnfKQaPh79G5cQox5vwvw==
sha256sum fingerprint:
f4:61:58:e4:90:65:c4:70:98:7f:d1:40:0a:d8:d9:79:14:e6:91:dc:b6:ed:91:8c:c0:df:d9:65:db:dd:a0:18

Scanned key:
host.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUXq7vpcEpnZQxxiLw/tdg8ui4LoqbW1O5nGyLtGw49
sha256sum fingerprint:
4b:73:d1:d7:80:87:46:64:56:71:64:10:7a:66:83:9b:c7:58:39:0b:16:74:dd:9b:d9:4b:e5:d5:61:7e:99:45

rpr

Posted 2016-06-11T22:30:58.260

Reputation: 266