SSH Key Fingerprints

As a network administrator I know that there are SSH fingerprints. And of course I know that I must verify the fingerprints for every new connection. ;) But I did not know that there are so many different kinds of fingerprints such as md5- or sha-hashed, represented in base64 or hex, and of course for each public key pair such as RSA, DSA, ECDSA, and Ed25519. Uh, a bit too complicated at a first glance. Hence I draw a picture.

Different Fingerprints

Fingerprints exist for all four SSH key types {rsa|dsa|ecdsa|ed25519}. The raw key is hashed with either {md5|sha-1|sha-256} and printed in format {hex|base64} with or without colons. The public key files on the other hand contain the key in base64 representation. At a glance:

Playing around with Hashes

With some basic Linux tools you can generate the fingerprints in all flavors. Let’s consider only the ECDSA public key for the following examples. You’ll find it in /etc/ssh/ and it looks like the following, which is the base64 representation:

Displaying the key in raw format does not make much sense. You can try it yourself with:

With ssh-keygen you can print the fingerprint -l of an input file -f and choose the fingerprint hash type -E. However, MD5 hashes will be presented in hex while SHA-1 and SHA-256 hashes are presented in base64:

Now with some Linux tools you can hash the fingerprint with MD5, SHA-1, and SHA-256. Note that all outputs are hex, hence the first one (MD5, starting with 4b6d) is exactly the same as of ssh-keygen, while the two SHA ones are different due to its representation:

To reproduce the base64 output for the SHA hashes such as the output from ssh-keygen you must revert the hex output to binary and then to base64. (Otherwise you would transform the hex string to base64 and not the hash output itself.) Hence the following two outputs are exactly the same as the ones from ssh-keygen. I did not use the base64 encoding for the MD5 hash because this is not used anywhere.

One Key – Four (!) Fingerprints

To sum it up, my single ECDSA public key has the following 4 different looking fingerprints that are all correct (MD5-hex, SHA-1-hex, SHA-256-hex, SHA-256-base64):

Using the other 2 public keys (RSA, DSA, Ed25519) as well would give me 12 fingerprints. ;) Note that I am not talking about DSA/ssh-dss anymore since it has security flaws and is disabled by default since OpenSSH 7.0. Also note that I omitted the MD5-base64 and SHA-1-base64 variants since they are not common at all.

Featured image “1+1=3 248/365” by Dennis Skley is licensed under CC BY-ND 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *