Verify host key fingerprint in old format

Question

OpenSSH's display format for host key fingerprints has changed recently - between versions 6.7 and 6.8. When connecting to a new host, the message now looks like this:

user@desktop:~$ ssh 10.33.1.114
The authenticity of host '10.33.1.114 (10.33.1.114)' can't be established.
ECDSA key fingerprint is SHA256:9ZTSzJsnk0byQRs24iKoYrf/d5eDvQL60tR/zO41k/I.
Are you sure you want to continue connecting (yes/no)?

On the remote host server (which I reached through a 3rd machine, where I had accepted the key earlier using an older client), I can see the fingerprint with

user@server:~$ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
256 a2:7e:2b:87:4c:47:69:16:78:9e:1a:4b:db:a7:a2:57  root@server (ECDSA)

But there's no way to match these two up.

If I install an older ssh version on desktop, and first connect using that, I see

user@desktop:~$ ssh 10.33.1.114
The authenticity of host '10.33.1.114 (10.33.1.114)' can't be established.
ECDSA key fingerprint is a2:7e:2b:87:4c:47:69:16:78:9e:1a:4b:db:a7:a2:57.
Are you sure you want to continue connecting (yes/no)?

That matches, so I can safely accept it, and it gets added to my ~/.ssh/known_hosts. Then the newer version of ssh also accepts it. But that requires me to build/install the older ssh version on desktop.

From an answer to another question about server fingerprints, I learned that the old form can be shown with ssh-keygen -E md5, and the new one is -E sha256. But the -E option only appeared when SHA256 became the default - the version of ssh-keygen on server can only show MD5. To see the SHA256 fingerprint of the key I trust, I'd first have to retrieve it (eg. through that 3rd machine) and put it where the newer ssh-keygen can find it. Or I'd have to run a newer ssh-keygen on server. (-E means something completely different for ssh.)

How can I display both keys (the one that I trust, and the one that I'm being presented with) in the same format? Preferably without installing additional versions, or copying key files around?

score 4 · Accepted Answer · answered Aug 19 '16 at 14:26

4

Use

ssh -o FingerprintHash=md5 10.33.1.114

to get the old-md5 fingerprint from the client.

answered Aug 19 '16 at 14:26

Jakuje

21,357

2

And for ssh-keygen it seems to be -E md5: ssh-keygen -E md5 -l -f /etc/ssh/ssh_host_rsa_key.pub – nyov Feb 07 '20 at 22:39
command-line: line 0: Bad configuration option: fingerprinthash – Michael Apr 20 '22 at 20:05

Verify host key fingerprint in old format

1 Answers1

Linked