Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Calculate RSA key fingerprint

I need to do the SSH key audit for GitHub, but I am not sure how do find my RSA key fingerprint. I originally followed a guide to generate an SSH key on Linux.

What is the command I need to enter to find my current RSA key fingerprint?

like image 447
Zakoff Avatar asked Mar 07 '12 18:03

Zakoff


People also ask

What is my RSA key fingerprint?

A host key fingerprint is also known as RSA key, host key, and key fingerprint. Every SSH server is configured to use a host key to verify that the client is connecting to the correct host. The SSH server administrator provides the host key fingerprint to the various clients.

How many bits is my RSA key?

For RSA keys, the minimum size for clear RSA keys and secure RSA keys on the public key data set (PKDS) is 512 bits. The minimum size for secure RSA keys on the token key data set (TKDS) is 1024 bits and the size must be a multiple of 256.

What is Ed25519 key fingerprint?

Introduction The Ed25519 [Ed25519] signature algorithm, specifically Ed25519-SHA-512, has been implemented in OpenSSH. RFC 4255 [RFC4255] defines a DNS resource record, "SSHFP", which can be used to publish a fingerprint of the SSH server public key in the DNS.

WHAT IS fingerprint for the Ecdsa key?

ECDSA key fingerprint is SHA256:wcq2B0YttUcSQOJZVOS6u72qdgBztv7AbvkCgGyApFg.

What is an SSH RSA key fingerprint?

The fingerprint is a unique sequence of letters and numbers used to identify the SSH RSA key. It is the fingerprint of a key that is verified when you try to connect to a remote host using SSH. In this note i will show how to generate the md5 and sha256 fingerprints of the SSH RSA key from the command line using the ssh-keygen command.

How do I generate a fingerprint for a public key?

You can generate a fingerprint for a public key using ssh-keygen like so: Concrete example (if you use an RSA public key): The first part (2048) is the key length in bits, second part (00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff) is the fingerprint of the public key and the third part is location of the public key file itself.

How to generate public/private RSA key pair in SSH?

The fingerprint is the MD5 over the binary data within the Base64-encoded public key. $ ssh-keygen -f foo Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in foo. Your public key has been saved in foo.pub.

How do I show the SSH fingerprint in MD5 format?

In order to show the SSH fingerprint in MD5 format, just specify this in the command line: greys@server:~$ ssh-keygen -l -E md5 -f id_rsa Enter PEM pass phrase: 2048 MD5:06:6e:bc:f4:4e:03:90:b7:ba:99:8d:a5:71:1e:dc:22 no comment (RSA) Unix/Linux how-tos troubleshooting … Unix/Linux how-tos and troubleshooting …


4 Answers

Run the following command to retrieve the SHA256 fingerprint of your SSH key (-l means "list" instead of create a new key, -f means "filename"):

$ ssh-keygen -lf /path/to/ssh/key

So for example, on my machine the command I ran was (using RSA public key):

$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)

To get the GitHub (MD5) fingerprint format with newer versions of ssh-keygen, run:

$ ssh-keygen -E md5 -lf <fileName>

Bonus information:

ssh-keygen -lf also works on known_hosts and authorized_keys files.

To find most public keys on Linux/Unix/OS X systems, run

$ find /etc/ssh /home/*/.ssh /Users/*/.ssh -name '*.pub' -o -name 'authorized_keys' -o -name 'known_hosts'

(If you want to see inside other users' homedirs, you'll have to be root or sudo.)

The ssh-add -l is very similar, but lists the fingerprints of keys added to your agent. (OS X users take note that magic passwordless SSH via Keychain is not the same as using ssh-agent.)

like image 127
Marvin Pinto Avatar answered Oct 07 '22 06:10

Marvin Pinto


The newer SSH commands will list fingerprints as a SHA256 Key.

For example:

ssh-keygen -lf ~/.ssh/id_dsa.pub 
1024 SHA256:19n6fkdz0qqmowiBy6XEaA87EuG/jgWUr44ZSBhJl6Y (DSA)

If you need to compare it against an old fingerprint you also need to specify to use the MD5 fingerprint hashing function.

ssh-keygen -E md5 -lf ~/.ssh/id_dsa.pub
2048 MD5:4d:5b:97:19:8c:fe:06:f0:29:e7:f5:96:77:cb:3c:71 (DSA)

Also available: -E sha1

Update... YES...yes... I know... DSA keys for SSH should no longer be used, the older RSA key or newer ecliptic keys should be used instead.

To those 'admins' that keep editing the command I used in the above. STOP CHANGING IT! You make the command and resulting output mis-match!

like image 20
anthony Avatar answered Oct 07 '22 05:10

anthony


To see your key on Ubuntu, just enter the following command on your terminal:

ssh-add -l

You will get an output like this: 2568 0j:20:4b:88:a7:9t:wd:19:f0:d4:4y:9g:27:cf:97:23 yourName@ubuntu (RSA)

If however you get an error like; Could not open a connection to your authentication agent.
Then it means that ssh-agent is not running. You can start/run it with: ssh-agent bash (thanks to @Richard in the comments) and then re-run ssh-add -l

like image 28
Komu Avatar answered Oct 07 '22 06:10

Komu


A key pair (the private and public keys) will have the same fingerprint; so in the case you can't remember which private key belong to which public key, find the match by comparing their fingerprints.

The most voted answer by Marvin Vinto provides the fingerprint of a public SSH key file. The fingerprint of the corresponding private SSH key can also be queried, but it requires a longer series of step, as shown below.

  1. Load the SSH agent, if you haven't done so. The easiest way is to invoke

    $ ssh-agent bash
    

    or

    $ ssh-agent tcsh
    

    (or another shell you use).

  2. Load the private key you want to test:

    $ ssh-add /path/to/your-ssh-private-key
    

    You will be asked to enter the passphrase if the key is password-protected.

  3. Now, as others have said, type

    $ ssh-add -l
    1024 fd:bc:8a:81:58:8f:2c:78:86:a2:cf:02:40:7d:9d:3c you@yourhost (DSA)
    

    fd:bc:... is the fingerprint you are after. If there are multiple keys, multiple lines will be printed, and the last line contains the fingerprint of the last loaded key.

  4. If you want to stop the agent (i.e., if you invoked step 1 above), then simply type `exit' on the shell, and you'll be back on the shell prior to the loading of ssh agent.

I do not add new information, but hopefully this answer is clear to users of all levels.

like image 20
Wirawan Purwanto Avatar answered Oct 07 '22 07:10

Wirawan Purwanto