You are not logged in.

#1 2015-04-18 11:48:30

From: Germany
Registered: 2012-10-02
Posts: 4

[solved] ssh/ssh-keygen/…: Show fingerprint in hex?


I'm currently struggling with SSH fingerprints. I used to validate fingerprints manually using the output provided by ssh or ssh-keygen. While this does work with most distros arch (or the OpenSSH 6.8 installed) seems to use a different fingerprint format.

Other distros (gentoo with OpenSSH 7.6, debian with 7.0, etc) output fingerprints (connecting to unknown hosts, using ssh-keygen, etc) using hex notation:

ECDSA key fingerprint is 00:11:22:33:44…

however using arch i get some Hash-representation:

ECDSA key fingerprint is SHA256:qj96Ke

Obviously this prevents me from comparing the fingerprints. Does anyone know where to change the output format used or how to compare these fingerprints?

Thanks in advance


Thanks to a buddy in IRC I was able to change the behavior - for those searching along:

The default hash algorithm used for fingerprint hashes was changed from md5 to sha256. In my case i tried to connect from arch (sha256) to debian (md5). ssh-keygen on debian doesn't support sha256 as far as I can tell - newer versions allow a "-E md5" or "-E sha256" to choose the desired hash type. So I went the easier route and "downgraded" arch to md5 for this server. To do this open your SSH-config (/etc/ssh/ssh_config or ~/.ssh/config) and add the following lines:

    FingerprintHash md5

When connecting to the host arch will now show the MD5 representation of the fingerprint which can be compared to the output  of ssh-keygen on debian. Other servers ore not affected and will still use the newer sha256.

Last edited by adlerweb (2015-04-18 12:09:24)


Board footer

Powered by FluxBB