You are not logged in.

#1 2020-04-15 18:23:22

Arch Linux Tux
Member
Registered: 2017-04-01
Posts: 34

[SOLVED] sftp: convert sha1 fingerprint to hex

Hello,

I need to verify a sha1 fingerprint from my sftp connection.
I want to use the sftp program from the openssl package as client.

My hoster has published the certificate fingerprint in sha1 hex
format.

Since sftp shows the sha256 hash by default, I  used

ssh-keyscan host > /tmp/fingerprint.pub

and then

ssh-keygen -lf /tmp/fingerprint.pub -E sha1

in oder to get the sha1 fingerprint. However this is not in hex
format but some combination of alpha digits and special characters.

Fingerprint:
Hoster:
(SHA1):09:F1:C4:3B:65:6A:FA:84:B1:1D:95:97:B9:F0:61:A2:92:4D:CD:03
ssh-keygen:
2048 SHA1:cuanqlj1N/naXy579MKgLUgXmqA ***********************.lima-ftp.de (RSA)
256 SHA1:R/C5FHP4H7BbexYs9o77LbL0GI8 ***********************.lima-ftp.de (ECDSA)
256 SHA1:fOZz3bPb4xJLFtCL8wfaGItS+Cw ***********************.lima-ftp.de (ED25519)

How is the format ssh-keygen shows the fingerprint in called?
How can I compare the hex format and the output of ssh-keygen
in the end?

Thanks for your help!

Last edited by Arch Linux Tux (2022-04-18 12:32:39)


I do software development for fun and professionally!

I'm strongly interested in robotics and mechatronics! My favorite programming language is Rust

Offline

#2 2020-04-17 10:19:22

Arch Linux Tux
Member
Registered: 2017-04-01
Posts: 34

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

So as far as I see the 3 hashes that ssh-keygen shows are in PEM (Privacy Enhanced Mail) format.

blog.oddbit.com wrote:

Privacy Enhanced Mail (PEM) is a specific type of Base64 encoding…which is to say it is a way of representing binary data using only printable ASCII characters. source

Here is a website that converts PEM to hex

By the way: I still can't match the keys.


I do software development for fun and professionally!

I'm strongly interested in robotics and mechatronics! My favorite programming language is Rust

Offline

#3 2020-04-17 13:59:25

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

Have you seed this, which suggests the fingerprint is not based on the PEM, but rather DER encoding.

EDIT: the website you linked to claims to convert the PEM to DER before hashing.

Last edited by Trilby (2020-04-17 14:01:01)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#4 2020-09-01 17:57:04

poser
Member
Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

Hi all. I'm having the same issue. This post is marked as [SOLVED], but I can't figure out the solution. smile In my case, the server admin used the term "thumbprint," which I guess is some Microsoft-related, 20-byte hexidecimal notation? How do I compare that with the outuput of ssh-keygen?

Offline

#5 2020-09-01 18:11:24

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

Did you follow the link I posted?


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#6 2020-09-01 18:18:03

poser
Member
Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

Thanks for getting back to me, Inspector. I did try that link, and I understand the openssl command. But my understanding is that ssh-keygen is giving me a hash rather than a full certificate. (I tried the -c argument when calling ssh-keyscan but it doesn't return anything.)

Offline

#7 2020-09-01 18:36:19

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

What commands are you actually using?  Don't you have the certificate?

Last edited by Trilby (2020-09-01 18:37:28)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#8 2020-09-01 18:53:27

poser
Member
Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

I do not have the certificate. I expected the following to get it...

ssh-keyscan -c -p <port> <host> > cert.pem

...but no luck. I'm sure there are plenty of other ways to download an x509, but I'm afraid I don't know them. smile Spare a clue for the clueless?

The commands I have successfully used are the ones the OP described...

ssh-keyscan -p <port> <host> > key.pub
ssh-keygen -f key.pub -l -E <hash-function>

...which are not helpful in this particular case.

Offline

#9 2020-09-01 20:33:33

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: [SOLVED] sftp: convert sha1 fingerprint to hex


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#10 2020-09-01 23:58:52

poser
Member
Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

Thanks. I tried...

openssl s_client -showcerts -servername <host> -connect <host>:<port>

...but it produces the following (with or without the -servername argument):

$ openssl s_client -showcerts -servername <host> -connect <host>:<port>
CONNECTED(00000005)
<numeric>:error:<hex>:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 323 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

And, to review...

1. I was able to connect through SFTP until the cert was updated (though I have not yet tried just removing the old fingerprint), and
2. The following does work:

$ ssh-keyscan -p <port> <host>
# <host>:<port> SSH-2.0-Cleo VLProxy/3.7.0.7 SSH FTP server
[<host>]:<port> ssh-rsa AAAAB3N...G0Dr
# <host>:<port> SSH-2.0-Cleo VLProxy/3.7.0.7 SSH FTP server
# <host>:<port> SSH-2.0-Cleo VLProxy/3.7.0.7 SSH FTP server

I guess I'll poke around a little and see if there's actually a TLS version mismatch?

Offline

#11 2020-09-02 00:26:26

poser
Member
Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

The above seems to work just fine on HTTPS web servers, but I have not yet made it work on an an SFTP or SSH service

Offline

#12 2020-09-02 18:53:59

poser
Member
Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

I still haven't managed to pull down the cert from an sftp server (the advice here only works for me on HTTPS-enabled Web servers), but—having been sent a copy by email—I can confirm that the solution to which Trilby linked (and which is shown below) does indeed produce the 20-byte hexidecimal fingerprint described by the OP.

openssl x509 -in <x509-pem-crt> -outform DER -out x509-certificate-der.cer
sha1sum x509-certificate-der.cer

Thanks for the help!

Offline

#13 2021-05-05 16:01:20

Arch Linux Tux
Member
Registered: 2017-04-01
Posts: 34

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

(I am the OP) My issue was solved this way:
The support of my webhoster told me that the fingerprint is a FTPS hash not a SFTP hash.
I did not know until then that FTPS and SFTP are totally different protocolls: FTPS is FTP using a
SSL layer and SFTP is a protocol based on SSH.


I do software development for fun and professionally!

I'm strongly interested in robotics and mechatronics! My favorite programming language is Rust

Offline

Board footer

Powered by FluxBB