As you can imagine, SSH keypairs – combinations of private and public keys – are vital elements of your digital identity as a sysadmin or a developer. And since they can be used for accessing source code repositories and for deploying changes to production environments, you usually have more than one SSH key. That's why it's important to know how to inspect SSH key fingerprints.
SSH Key Fingerprints
Key fingerprints are special checksums generated based on the public SSH key. Run against the same key, ssh-keygen command will always generate the same fingerprint.
Because of this property, you can use SSH key fingerprints for three things:
- Identify SSH key – fingerprint will stay the same even if you rename the file
- Confirm integrity of the SSH key – if you get the same fingerprint from your private SSH key, you can be sure it's still valid and intact
- Validate identity of the SSH key – same fingerprint means you're dealing with the same key (that you or your solution trusted for specific functionality)
How to Check SSH Fingerprint of a Key
ssh-keygen command takes the identity (SSH key) filename and calculates the fingerprint.
You can start by changing directory into .ssh and checking if you have any SSH keys there already. If not, you should generate a new SSH key.
greys@server:~$ cd .ssh greys@server:~/.ssh$ ls -la total 24 drwx------ 3 greys greys 4096 Feb 17 21:11 . drwxr-xr-x 15 greys greys 4096 Feb 17 21:13 .. -rw------- 1 greys greys 1766 Feb 17 21:11 id_rsa -rw-r--r-- 1 greys greys 394 Feb 17 21:11 id_rsa.pub
Let's run ssh-keygen to confirm the fingerprint of the id_rsa keypair:
greys@server:~/.ssh$ ssh-keygen -l -f id_rsa 2048 SHA256:z96jtEGIqfLoaq1INIBFI/3K2M+f9xZUyupsm3itgvI no comment (RSA)
Check Fingerprint of the Private SSH Key
By default this command looks for the public key portion (id_rsa.pub file), so it's not a very good test of integrity or identity of the private key. There is a very real possibility that you have one private key and a separate public key, that are not related to each other.
That's why for checking the private key you must take it a step further and copy private key (id_rsa) into some other directory where you can use ssh-keygen again:
greys@server:~/.ssh$ cp id_rsa .. greys@server:~/.ssh$ cd ..
this time, because there's no public key file found nearby, the ssh-keygen command will have to open private key. And if it's passphrase protected (as it always should be), you'll be asked for the SSH key passphrase:
greys@server:~$ ssh-keygen -l -f id_rsa Enter PEM pass phrase: 2048 SHA256:z96jtEGIqfLoaq1INIBFI/3K2M+f9xZUyupsm3itgvI no comment (RSA)
Old-school SSH fingerprints
If you've been using Linux/Unix for more than a couple of years, you probably noticed that ssh-keygen now shows you a different looking fingerprints: they used to be these semicolon-delimited sequences like this:
… instead they now are shown as this:
The reason for this is that by default fingerprints are shown as SHA256 sequences, while in the past they were MD5.
In order to show the SSH fingerprint in MD5 format, just specify this in the command line:
greys@server:~$ ssh-keygen -l -E md5 -f id_rsa Enter PEM pass phrase: 2048 MD5:06:6e:bc:f4:4e:03:90:b7:ba:99:8d:a5:71:1e:dc:22 no comment (RSA)