3

OpenSSH's display format for host key fingerprints has changed recently - between versions 6.7 and 6.8. When connecting to a new host, the message now looks like this:

user@desktop:~$ ssh 10.33.1.114
The authenticity of host '10.33.1.114 (10.33.1.114)' can't be established.
ECDSA key fingerprint is SHA256:9ZTSzJsnk0byQRs24iKoYrf/d5eDvQL60tR/zO41k/I.
Are you sure you want to continue connecting (yes/no)?

On the remote host server (which I reached through a 3rd machine, where I had accepted the key earlier using an older client), I can see the fingerprint with

user@server:~$ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
256 a2:7e:2b:87:4c:47:69:16:78:9e:1a:4b:db:a7:a2:57  root@server (ECDSA)

But there's no way to match these two up.

If I install an older ssh version on desktop, and first connect using that, I see

user@desktop:~$ ssh 10.33.1.114
The authenticity of host '10.33.1.114 (10.33.1.114)' can't be established.
ECDSA key fingerprint is a2:7e:2b:87:4c:47:69:16:78:9e:1a:4b:db:a7:a2:57.
Are you sure you want to continue connecting (yes/no)?

That matches, so I can safely accept it, and it gets added to my ~/.ssh/known_hosts. Then the newer version of ssh also accepts it. But that requires me to build/install the older ssh version on desktop.

From an answer to another question about server fingerprints, I learned that the old form can be shown with ssh-keygen -E md5, and the new one is -E sha256. But the -E option only appeared when SHA256 became the default - the version of ssh-keygen on server can only show MD5. To see the SHA256 fingerprint of the key I trust, I'd first have to retrieve it (eg. through that 3rd machine) and put it where the newer ssh-keygen can find it. Or I'd have to run a newer ssh-keygen on server. (-E means something completely different for ssh.)

How can I display both keys (the one that I trust, and the one that I'm being presented with) in the same format? Preferably without installing additional versions, or copying key files around?

1 Answer 1

4

Use

ssh -o FingerprintHash=md5 10.33.1.114

to get the old-md5 fingerprint from the client.

2
  • 2
    And for ssh-keygen it seems to be -E md5: ssh-keygen -E md5 -l -f /etc/ssh/ssh_host_rsa_key.pub Commented Feb 7, 2020 at 22:39
  • command-line: line 0: Bad configuration option: fingerprinthash Commented Apr 20, 2022 at 20:05

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.