How to verify fingerprint of Dropbear RSA host key?

Question

When I connect to my Dropbear SSH server for the first time, I get the following message:

me@laptop:~$ ssh me@server
The authenticity of host 'server' can't be established.
RSA key fingerprint is SHA256:NycCxoRiiSAGA7Rvlnuf1gU8pazIpXJKZ3ukdivyam8.
Are you sure you want to continue connecting (yes/no)? 

To make sure that this is the correct server, I want to compare the stated fingerprint from that message to the server's real fingerprint. How can I find out the server's RSA host key fingerprint?

Answer 1

Locate the host key file on the server:

me@server:~$ ls /etc/dropbear/
authorized_keys  config  dropbear_rsa_host_key

Use dropbearkey to get the public key portion and fingerprint of that host key:

me@server:~$ sudo dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCk/0IEQhlDHfe3jd1MafWLEsTMFADflBWiODik6CnHXmXUrp1XmQ0fo16ffRxupnIuieU44VZkfCP8MX+WIVMRc/+UOJAox7U+v7B3T9H0a4ZeB48NyPdUCZ9MVSbk+kWmHn+UoXtPdMZ/htQ13XHJLHU8h2I+4dTUs1TYWeW4b8LppRexUJPCjdc9YxmkwI+ctHs6I1oguqSy6IP+aAlK0+QkNrG8HeFe1Nmg2iL5SuYfJCIgxJylK+s6KVMpzVPv7VNX3bSt1NJvf2etowR7kzTZs+uCJyzdILO2p5yAo9V80/zzwyqV+exPHUjD/SE9tYjEBkzKKNo215xQvAzV me@server
Fingerprint: sha1!! 41:b0:5e:af:8c:4d:2b:ae:fd:75:7d:f1:d5:35:e1:49:14:2e:08:12

The hash algorithm will be different, depending on your version. Pipe the public key portion into ssh-keygen to use a specific hash algorithm:

me@server:~$ sudo dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key | ssh-keygen -l -f - -E sha256
2048 SHA256:NycCxoRiiSAGA7Rvlnuf1gU8pazIpXJKZ3ukdivyam8 me@server (RSA)
me@server:~$ sudo dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key | ssh-keygen -l -f - -E sha1
2048 SHA1:QbBer4xNK679dX3x1TahSRMuLBI me@server (RSA)
me@server:~$ sudo dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key | ssh-keygen -l -f - -E md5
2048 MD5:bb:36:37:3e:ae:36:69:d3:6d:63:b8:a3:97:c3:78:60 me@server (RSA)