As you can imagine, SSH keypairs – combinations of private and public keys – are vital elements of your digital identity as a sysadmin or a developer. And since they can be used for accessing source code repositories and for deploying changes to production environments, you usually have more than one SSH key. That’s why it’s important to know how to inspect SSH key fingerprints.
Key fingerprints are special checksums generated based on the public SSH key. Run against the same key, ssh-keygen command will always generate the same fingerprint.
Because of this property, you can use SSH key fingerprints for three things:
ssh-keygen command takes the identity (SSH key) filename and calculates the fingerprint.
You can start by changing directory into .ssh and checking if you have any SSH keys there already. If not, you should generate a new SSH key.
Let’s run ssh-keygen to confirm the fingerprint of the id_rsa keypair:
By default this command looks for the public key portion (id_rsa.pub file), so it’s not a very good test of integrity or identity of the private key. There is a very real possibility that you have one private key and a separate public key, that are not related to each other.
That’s why for checking the private key you must take it a step further and copy private key (id_rsa) into some other directory where you can use ssh-keygen again:
this time, because there’s no public key file found nearby, the ssh-keygen command will have to open private key. And if it’s passphrase protected (as it always should be), you’ll be asked for the SSH key passphrase:
If you’ve been using Linux/Unix for more than a couple of years, you probably noticed that ssh-keygen now shows you a different looking fingerprints: they used to be these semicolon-delimited sequences like this:
… instead they now are shown as this:
The reason for this is that by default fingerprints are shown as SHA256 sequences, while in the past they were MD5.
In order to show the SSH fingerprint in MD5 format, just specify this in the command line: