You are not logged in.

#1 2020-04-15 18:23:22

Arch Linux Tux
Registered: 2017-04-01
Posts: 36

[SOLVED] sftp: convert sha1 fingerprint to hex


I need to verify a sha1 fingerprint from my sftp connection.
I want to use the sftp program from the openssl package as client.

My hoster has published the certificate fingerprint in sha1 hex

Since sftp shows the sha256 hash by default, I  used

ssh-keyscan host > /tmp/

and then

ssh-keygen -lf /tmp/ -E sha1

in oder to get the sha1 fingerprint. However this is not in hex
format but some combination of alpha digits and special characters.

2048 SHA1:cuanqlj1N/naXy579MKgLUgXmqA *********************** (RSA)
256 SHA1:R/C5FHP4H7BbexYs9o77LbL0GI8 *********************** (ECDSA)
256 SHA1:fOZz3bPb4xJLFtCL8wfaGItS+Cw *********************** (ED25519)

How is the format ssh-keygen shows the fingerprint in called?
How can I compare the hex format and the output of ssh-keygen
in the end?

Thanks for your help!

Last edited by Arch Linux Tux (2022-04-18 12:32:39)

I find every text with bold and italic emphasis easier to read


#2 2020-04-17 10:19:22

Arch Linux Tux
Registered: 2017-04-01
Posts: 36

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

So as far as I see the 3 hashes that ssh-keygen shows are in PEM (Privacy Enhanced Mail) format. wrote:

Privacy Enhanced Mail (PEM) is a specific type of Base64 encoding…which is to say it is a way of representing binary data using only printable ASCII characters. source

Here is a website that converts PEM to hex

By the way: I still can't match the keys.

I find every text with bold and italic emphasis easier to read


#3 2020-04-17 13:59:25

Inspector Parrot
Registered: 2011-11-29
Posts: 30,330

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

Have you seed this, which suggests the fingerprint is not based on the PEM, but rather DER encoding.

EDIT: the website you linked to claims to convert the PEM to DER before hashing.

Last edited by Trilby (2020-04-17 14:01:01)

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman


#4 2020-09-01 17:57:04

Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

Hi all. I'm having the same issue. This post is marked as [SOLVED], but I can't figure out the solution. smile In my case, the server admin used the term "thumbprint," which I guess is some Microsoft-related, 20-byte hexidecimal notation? How do I compare that with the outuput of ssh-keygen?


#5 2020-09-01 18:11:24

Inspector Parrot
Registered: 2011-11-29
Posts: 30,330

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

Did you follow the link I posted?

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman


#6 2020-09-01 18:18:03

Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

Thanks for getting back to me, Inspector. I did try that link, and I understand the openssl command. But my understanding is that ssh-keygen is giving me a hash rather than a full certificate. (I tried the -c argument when calling ssh-keyscan but it doesn't return anything.)


#7 2020-09-01 18:36:19

Inspector Parrot
Registered: 2011-11-29
Posts: 30,330

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

What commands are you actually using?  Don't you have the certificate?

Last edited by Trilby (2020-09-01 18:37:28)

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman


#8 2020-09-01 18:53:27

Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

I do not have the certificate. I expected the following to get it...

ssh-keyscan -c -p <port> <host> > cert.pem

...but no luck. I'm sure there are plenty of other ways to download an x509, but I'm afraid I don't know them. smile Spare a clue for the clueless?

The commands I have successfully used are the ones the OP described...

ssh-keyscan -p <port> <host> >
ssh-keygen -f -l -E <hash-function>

...which are not helpful in this particular case.


#9 2020-09-01 20:33:33

Inspector Parrot
Registered: 2011-11-29
Posts: 30,330

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman


#10 2020-09-01 23:58:52

Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

Thanks. I tried...

openssl s_client -showcerts -servername <host> -connect <host>:<port>

...but it produces the following (with or without the -servername argument):

$ openssl s_client -showcerts -servername <host> -connect <host>:<port>
<numeric>:error:<hex>:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 5 bytes and written 323 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

And, to review...

1. I was able to connect through SFTP until the cert was updated (though I have not yet tried just removing the old fingerprint), and
2. The following does work:

$ ssh-keyscan -p <port> <host>
# <host>:<port> SSH-2.0-Cleo VLProxy/ SSH FTP server
[<host>]:<port> ssh-rsa AAAAB3N...G0Dr
# <host>:<port> SSH-2.0-Cleo VLProxy/ SSH FTP server
# <host>:<port> SSH-2.0-Cleo VLProxy/ SSH FTP server

I guess I'll poke around a little and see if there's actually a TLS version mismatch?


#11 2020-09-02 00:26:26

Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

The above seems to work just fine on HTTPS web servers, but I have not yet made it work on an an SFTP or SSH service


#12 2020-09-02 18:53:59

Registered: 2020-09-01
Posts: 6

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

I still haven't managed to pull down the cert from an sftp server (the advice here only works for me on HTTPS-enabled Web servers), but—having been sent a copy by email—I can confirm that the solution to which Trilby linked (and which is shown below) does indeed produce the 20-byte hexidecimal fingerprint described by the OP.

openssl x509 -in <x509-pem-crt> -outform DER -out x509-certificate-der.cer
sha1sum x509-certificate-der.cer

Thanks for the help!


#13 2021-05-05 16:01:20

Arch Linux Tux
Registered: 2017-04-01
Posts: 36

Re: [SOLVED] sftp: convert sha1 fingerprint to hex

(I am the OP) My issue was solved this way:
The support of my webhoster told me that the fingerprint is a FTPS hash not a SFTP hash.
I did not know until then that FTPS and SFTP are totally different protocolls: FTPS is FTP using a
SSL layer and SFTP is a protocol based on SSH.

I find every text with bold and italic emphasis easier to read


Board footer

Powered by FluxBB