You are not logged in.
- Topics: Active | Unanswered
#1 2020-04-15 18:23:22
- Arch Linux Tux
- Member
- Registered: 2017-04-01
- Posts: 36
[SOLVED] sftp: convert sha1 fingerprint to hex
Hello,
I need to verify a sha1 fingerprint from my sftp connection.
I want to use the sftp program from the openssl package as client.
My hoster has published the certificate fingerprint in sha1 hex
format.
Since sftp shows the sha256 hash by default, I used
ssh-keyscan host > /tmp/fingerprint.puband then
ssh-keygen -lf /tmp/fingerprint.pub -E sha1in oder to get the sha1 fingerprint. However this is not in hex
format but some combination of alpha digits and special characters.
Fingerprint:
Hoster:
(SHA1):09:F1:C4:3B:65:6A:FA:84:B1:1D:95:97:B9:F0:61:A2:92:4D:CD:03
ssh-keygen:
2048 SHA1:cuanqlj1N/naXy579MKgLUgXmqA ***********************.lima-ftp.de (RSA)
256 SHA1:R/C5FHP4H7BbexYs9o77LbL0GI8 ***********************.lima-ftp.de (ECDSA)
256 SHA1:fOZz3bPb4xJLFtCL8wfaGItS+Cw ***********************.lima-ftp.de (ED25519)
How is the format ssh-keygen shows the fingerprint in called?
How can I compare the hex format and the output of ssh-keygen
in the end?
Thanks for your help!
Last edited by Arch Linux Tux (2022-04-18 12:32:39)
I find every text with bold and italic emphasis easier to read
Offline
#2 2020-04-17 10:19:22
- Arch Linux Tux
- Member
- Registered: 2017-04-01
- Posts: 36
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
So as far as I see the 3 hashes that ssh-keygen shows are in PEM (Privacy Enhanced Mail) format.
Privacy Enhanced Mail (PEM) is a specific type of Base64 encoding…which is to say it is a way of representing binary data using only printable ASCII characters. source
Here is a website that converts PEM to hex
By the way: I still can't match the keys.
I find every text with bold and italic emphasis easier to read
Offline
#3 2020-04-17 13:59:25
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,330
- Website
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
Have you seed this, which suggests the fingerprint is not based on the PEM, but rather DER encoding.
EDIT: the website you linked to claims to convert the PEM to DER before hashing.
Last edited by Trilby (2020-04-17 14:01:01)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#4 2020-09-01 17:57:04
- poser
- Member
- Registered: 2020-09-01
- Posts: 6
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
Hi all. I'm having the same issue. This post is marked as [SOLVED], but I can't figure out the solution. 
In my case, the server admin used the term "thumbprint," which I guess is some Microsoft-related, 20-byte hexidecimal notation? How do I compare that with the outuput of ssh-keygen?
Offline
#5 2020-09-01 18:11:24
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,330
- Website
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
Did you follow the link I posted?
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#6 2020-09-01 18:18:03
- poser
- Member
- Registered: 2020-09-01
- Posts: 6
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
Thanks for getting back to me, Inspector. I did try that link, and I understand the openssl command. But my understanding is that ssh-keygen is giving me a hash rather than a full certificate. (I tried the -c argument when calling ssh-keyscan but it doesn't return anything.)
Offline
#7 2020-09-01 18:36:19
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,330
- Website
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
What commands are you actually using? Don't you have the certificate?
Last edited by Trilby (2020-09-01 18:37:28)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#8 2020-09-01 18:53:27
- poser
- Member
- Registered: 2020-09-01
- Posts: 6
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
I do not have the certificate. I expected the following to get it...
ssh-keyscan -c -p <port> <host> > cert.pem...but no luck. I'm sure there are plenty of other ways to download an x509, but I'm afraid I don't know them. Spare a clue for the clueless?
The commands I have successfully used are the ones the OP described...
ssh-keyscan -p <port> <host> > key.pub
ssh-keygen -f key.pub -l -E <hash-function>...which are not helpful in this particular case.
Offline
#9 2020-09-01 20:33:33
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,330
- Website
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#10 2020-09-01 23:58:52
- poser
- Member
- Registered: 2020-09-01
- Posts: 6
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
Thanks. I tried...
openssl s_client -showcerts -servername <host> -connect <host>:<port>...but it produces the following (with or without the -servername argument):
$ openssl s_client -showcerts -servername <host> -connect <host>:<port>
CONNECTED(00000005)
<numeric>:error:<hex>:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 323 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)And, to review...
1. I was able to connect through SFTP until the cert was updated (though I have not yet tried just removing the old fingerprint), and
2. The following does work:
$ ssh-keyscan -p <port> <host>
# <host>:<port> SSH-2.0-Cleo VLProxy/3.7.0.7 SSH FTP server
[<host>]:<port> ssh-rsa AAAAB3N...G0Dr
# <host>:<port> SSH-2.0-Cleo VLProxy/3.7.0.7 SSH FTP server
# <host>:<port> SSH-2.0-Cleo VLProxy/3.7.0.7 SSH FTP serverI guess I'll poke around a little and see if there's actually a TLS version mismatch?
Offline
#11 2020-09-02 00:26:26
- poser
- Member
- Registered: 2020-09-01
- Posts: 6
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
The above seems to work just fine on HTTPS web servers, but I have not yet made it work on an an SFTP or SSH service
Offline
#12 2020-09-02 18:53:59
- poser
- Member
- Registered: 2020-09-01
- Posts: 6
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
I still haven't managed to pull down the cert from an sftp server (the advice here only works for me on HTTPS-enabled Web servers), but—having been sent a copy by email—I can confirm that the solution to which Trilby linked (and which is shown below) does indeed produce the 20-byte hexidecimal fingerprint described by the OP.
openssl x509 -in <x509-pem-crt> -outform DER -out x509-certificate-der.cer
sha1sum x509-certificate-der.cerThanks for the help!
Offline
#13 2021-05-05 16:01:20
- Arch Linux Tux
- Member
- Registered: 2017-04-01
- Posts: 36
Re: [SOLVED] sftp: convert sha1 fingerprint to hex
(I am the OP) My issue was solved this way:
The support of my webhoster told me that the fingerprint is a FTPS hash not a SFTP hash.
I did not know until then that FTPS and SFTP are totally different protocolls: FTPS is FTP using a
SSL layer and SFTP is a protocol based on SSH.
I find every text with bold and italic emphasis easier to read
Offline