How does "-" work in the "ssh-keygen -lf -" command?

Question

I read this question

• Get SSH server key fingerprint

In the answer and solution appears the following command (adapted here for presentation purposes)

ssh-keyscan 192.168.1.X | ssh-keygen -lf -

I know that the first command isolated shows the public keys of the host. When the complete command is executed - thus the two parts - according with the final output, the public keys of the first command are used to generate the fingerprint of themselves.

question

• How does - work in the ssh-keygen -lf - command?

It is mandatory. I know l is to show the fingerprint and f to define a filename, but how is interpreted -?

Answer 1

By default, ssh-keygen -l will ask you interactively for what public key file to show the fingerprint of. With -f you give it the pathname of some existing file instead.

If the pathname is - (a dash), input is read from standard input instead of from a file.

This is a common practice that quite a few other commands also follow, most notably cat (cat - reads from standard input).

In your pipeline, the data on standard input is provided by the ssh-keyscan command. The ssh-keyscan command will extract the public key of the mentioned host and pass it on to ssh-keygen -l. The ssh-keygen utility will output the fingerprint.

Without -f -, the ssh-keygen utility would try to use the output of ssh-keyscan as the filename to read the key from.

This is arguably bad design, as it's easy to programmatically determine whether the input to a program comes from a terminal or something that is not a terminal (like another command or a file). So in a sense, -f - could be made unnecessary.