Extra `=` padding in ed25519 fingerprint in AWS EC2 key - McMap

About

Extra `=` padding in ed25519 fingerprint in AWS EC2 key

Asked 22/4, 2022 at 13:29 Answered 22/4, 2022 at 15:15

Solved amazon-web-services ssh fingerprint ed25519

F

1

1

I'm encountering an interesting scenario where the generated fingerprint for my imported/created ed25519 SSH key is different from the one reported by ssh-keygen in the AWS EC2 Key console.

For example, consider a random key I generated for which the ssh-keygen fingerprint is:

64OuseEfObM7yYiEyK7u42qN1kHj6/JGnpro1XqO4pM

And AWS generated the fingerprint as such:

64OuseEfObM7yYiEyK7u42qN1kHj6/JGnpro1XqO4pM=

So, there is extra padding for some reason. Does anyone know why that is so? Alternatively, does anyone know how AWS generates these fingerprints and is it just fine to trim that last = away? I mean padding is mostly optional, but I would like to generate the same fingerprint so I can compare them.

Also, note that this is only for ed25519 keys. Normal RSA works fine. I know they do some wonky stuff converting it to OpenSSL then back or something like that. But that's not the case for ed25519 I think...

Cheers!

Flori answered 22/4, 2022 at 13:29 Comment(3)

See this post - it has to do with the Base64 encoding. It shouldn't matter. – Uric 22/4, 2022 at 14:25

The problem is, that it matters because any kind of local algorithm I'm running isn't resulting in the same encoding, aka they don't convert to padding by 3s. So when I compare, I either have to trim that by hand or add it to mine by doing something like string+"=" which is a bit ugly. :) The important part is that I can't reproduce this same result they are having. – Flori 22/4, 2022 at 14:29

But I guess, you're right. I can just trim the padding as I don't concatenate it to anything so it should be fine. But it bothers me that I can't reproduce why they are getting a different encoding. :D – Flori 22/4, 2022 at 14:35

F

1

I got it.

From other posts here as well, but the answer is that they are using a base64 sha256 openssl combo like this:

$ cat ~/.ssh/ec2-key.pub | base64 -w0 -d | openssl dgst -binary -sha256 | base64 -w0; echo

Where the pub key was generated from the downloaded ec2 pem key like this:

ssh-keygen -y -f ~/.ssh/ec2-key.pem > ~/.ssh/ec2-key.pub

Flori answered 22/4, 2022 at 15:15 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.