OpenSSH's display format for host key fingerprints has changed recently - between versions 6.7 and 6.8. When connecting to a new host, the message now looks like this:
user@desktop:~$ ssh 10.33.1.114
The authenticity of host '10.33.1.114 (10.33.1.114)' can't be established.
ECDSA key fingerprint is SHA256:9ZTSzJsnk0byQRs24iKoYrf/d5eDvQL60tR/zO41k/I.
Are you sure you want to continue connecting (yes/no)?
On the remote host server
(which I reached through a 3rd machine, where I had accepted the key earlier using an older client), I can see the fingerprint with
user@server:~$ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
256 a2:7e:2b:87:4c:47:69:16:78:9e:1a:4b:db:a7:a2:57 root@server (ECDSA)
But there's no way to match these two up.
If I install an older ssh
version on desktop
, and first connect using that, I see
user@desktop:~$ ssh 10.33.1.114
The authenticity of host '10.33.1.114 (10.33.1.114)' can't be established.
ECDSA key fingerprint is a2:7e:2b:87:4c:47:69:16:78:9e:1a:4b:db:a7:a2:57.
Are you sure you want to continue connecting (yes/no)?
That matches, so I can safely accept it, and it gets added to my ~/.ssh/known_hosts
. Then the newer version of ssh
also accepts it. But that requires me to build/install the older ssh
version on desktop
.
From an answer to another question about server fingerprints, I learned that the old form can be shown with ssh-keygen -E md5
, and the new one is -E sha256
. But the -E
option only appeared when SHA256 became the default - the version of ssh-keygen
on server
can only show MD5. To see the SHA256 fingerprint of the key I trust, I'd first have to retrieve it (eg. through that 3rd machine) and put it where the newer ssh-keygen
can find it. Or I'd have to run a newer ssh-keygen
on server
. (-E
means something completely different for ssh
.)
How can I display both keys (the one that I trust, and the one that I'm being presented with) in the same format? Preferably without installing additional versions, or copying key files around?
ssh-keygen
it seems to be-E md5
:ssh-keygen -E md5 -l -f /etc/ssh/ssh_host_rsa_key.pub
– nyov Feb 07 '20 at 22:39command-line: line 0: Bad configuration option: fingerprinthash
– Michael Apr 20 '22 at 20:05