I need to do the SSH key audit for GitHub, but I am not sure how do find my RSA key fingerprint. I originally followed a guide to generate an SSH key on Linux.
What is the command I need to enter to find my current RSA key fingerprint?
Calculate RSA key fingerprint
Run the following command to retrieve the SHA256 fingerprint of your SSH key (-l means "list" instead of create a new key, -f means "filename"):
$ ssh-keygen -lf /path/to/ssh/key
So for example, on my machine the command I ran was (using RSA public key):
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)
To get the GitHub (MD5) fingerprint format with newer versions of ssh-keygen, run:
$ ssh-keygen -E md5 -lf <fileName>
Bonus information:
ssh-keygen -lf also works on known_hosts and authorized_keys files.
To find most public keys on Linux/Unix/OS X systems, run
$ find /etc/ssh /home/*/.ssh /Users/*/.ssh -name '*.pub' -o -name 'authorized_keys' -o -name 'known_hosts'
(If you want to see inside other users' homedirs, you'll have to be root or sudo.)
The ssh-add -l is very similar, but lists the fingerprints of keys added to your agent. (OS X users take note that magic passwordless SSH via Keychain is not the same as using ssh-agent.)
How do I find what is the path? –
Cockcroft
Also, if you simply want the public key, run:
cat ~/.ssh/id_rsa.pub –
Matrimony Since your example hex fingerprint is 32 digits I believe it would be an MD5 fingerprint, correct? As opposed to a 40 digit fingerprint, which would indicate SHA1 –
Mislike
On non-Ubuntu systems the relevant file may be in /etc/ssh, e.g. /etc/ssh/ssh_host_rsa_key.pub –
Lizettelizotte
Copy the long version (what you give to Github or Digital Ocean etc) to xclip with
xclip -sel clip < ~/.ssh/id_rsa.pub. If you don't have xclip do sudo apt-get install xclip first –
Lipocaic FYI, on Mac OS X (Snow Leopard):
ssh-keygen -lf /private/etc/ssh_host_rsa_key.pub. –
Buckle Worth noting that the fingerprint should be the same for both keys in a public / private keypair; so the fingerprint of
.ssh/id_rsa should be the same as the one for .ssh/id_rsa.pub. So, you can use either one (and, if you're like me and love tab-completion, it makes the job take 2 fewer keystrokes. Efficiency!). –
Fission If you're comparing against fingerprints listed in the AWS console, this will save you time... serverfault.com/questions/603982/… –
Toname
@Zorawar, even ubuntu now is
/etc/ssh/ssh_host_rsa_key.pub –
Eley You can also just type
ssh-keygen -l. It will then ask you for the file and will suggest your public key if present. This way you don't need to type the path yourself. –
Shea The command you gave to "Find most public on a Linux/Unix/OSX system" was super helpful! My rsa key on a Raspberry Pi for instance is found in:
/etc/ssh/ssh_host_rsa_key.pub –
Jaclyn This answer is outdated. Use ssh-keygen -lf -E md5 to get what OP wants. –
Tantamount
The newer SSH commands will list fingerprints as a SHA256 Key.
For example:
ssh-keygen -lf ~/.ssh/id_dsa.pub
1024 SHA256:19n6fkdz0qqmowiBy6XEaA87EuG/jgWUr44ZSBhJl6Y (DSA)
If you need to compare it against an old fingerprint you also need to specify to use the MD5 fingerprint hashing function.
ssh-keygen -E md5 -lf ~/.ssh/id_dsa.pub
2048 MD5:4d:5b:97:19:8c:fe:06:f0:29:e7:f5:96:77:cb:3c:71 (DSA)
Also available: -E sha1
Update... YES...yes... I know... DSA keys for SSH should no longer be used, the older RSA key or newer ecliptic keys should be used instead.
To those 'admins' that keep editing the command I used in the above. STOP CHANGING IT! You make the command and resulting output mis-match!
It's worth mentioning here that you can tell
ssh to show you the server's old MD5 fingerprint using ssh -o FingerprintHash=md5 example.org, as mentioned in this answer. (I was just searching for that, and this answer led me to that one, so I figure others might have a similar experience.) –
Pianissimo This answer is most helpful for those wishing to compare their keys with what github.com shows (ie the MD5 formatted in hex) –
Mcmann
Also very helpful for what comparing against what putty will report. –
Revkah
Currently GitHub shows the former format. By the way, in my case the SHA256 generated on my local key doesn't match with that one sent by GitHub! Is that an MITM? Even if I know it is, what am I supposed to do about it? –
Doris
I was looking for this, because in Centos 7 and Centos 8 the defaults are different! –
Gstring
To see your key on Ubuntu, just enter the following command on your terminal:
ssh-add -l
You will get an output like this:
2568 0j:20:4b:88:a7:9t:wd:19:f0:d4:4y:9g:27:cf:97:23 yourName@ubuntu (RSA)
If however you get an error like; Could not open a connection to your authentication agent.
Then it means that ssh-agent is not running. You can start/run it with:
ssh-agent bash (thanks to @Richard in the comments) and then re-run ssh-add -l
If you're not on Ubuntu you might get this unfortunately "Could not open a connection to your authentication agent." –
Klondike
This only works if you have the authentication agent running. –
Sedulous
To get the authentication agent running you can use
ssh-agent bash and proceed with life. In life as always; ssh-agent isn't guaranteed as a consistent implementation on all systems. –
Spinose Another tip for linux; The option -F (dump fingerprint) of ssh-keygen-g3 will display the fingerprint of the key: $ ssh-keygen-g3 -F /path/to/keyfile.pub answers.ssh.com/questions/494/… –
Aneurysm
A key pair (the private and public keys) will have the same fingerprint; so in the case you can't remember which private key belong to which public key, find the match by comparing their fingerprints.
The most voted answer by Marvin Vinto provides the fingerprint of a public SSH key file. The fingerprint of the corresponding private SSH key can also be queried, but it requires a longer series of step, as shown below.
Load the SSH agent, if you haven't done so. The easiest way is to invoke
$ ssh-agent bashor
$ ssh-agent tcsh(or another shell you use).
Load the private key you want to test:
$ ssh-add /path/to/your-ssh-private-keyYou will be asked to enter the passphrase if the key is password-protected.
Now, as others have said, type
$ ssh-add -l 1024 fd:bc:8a:81:58:8f:2c:78:86:a2:cf:02:40:7d:9d:3c you@yourhost (DSA)fd:bc:...is the fingerprint you are after. If there are multiple keys, multiple lines will be printed, and the last line contains the fingerprint of the last loaded key.If you want to stop the agent (i.e., if you invoked step 1 above), then simply type `exit' on the shell, and you'll be back on the shell prior to the loading of ssh agent.
I do not add new information, but hopefully this answer is clear to users of all levels.
The first paragraph is untrue,
ssh-add -l and ssh-keygen -l return the same fingerprint for a given keypair. Also, it should be a lowercase -l, not uppercase. –
Feltner I don't contest that
ssh-add -l and ssh-keygen -l return the same fingerprint for a given keypair. But I don't understand what was wrong with my original statements on first paragraph. I added a sentence to clarify. –
Sike It's just simper to point ssh-keygen to a key, rather than start the agent, then load the key, then get the fingerprint. –
Feltner
If you have the private key only, you do not necessarily need to run
ssh-agent. Assuming PRIVKEY has been set to the private key file, and PUBKEY has been set to the (initially nonexistent) public key file, do: ssh-keygen -y -f "${PRIVKEY}" > "${PUBKEY}" to regenerate the SSH public key, then ssh-keygen -E md5 -l -v -f "${PUBKEY}" if you want the MD5 hash or just ssh-keygen -l -v -f "${PUBKEY}" if you want the SHA-256 hash (SHA-256 being the default now). –
Telly Reproducing content from AWS forums here, because I found it useful to my use case - I wanted to check which of my keys matched ones I had imported into AWS
openssl pkey -in ~/.ssh/ec2/primary.pem -pubout -outform DER | openssl md5 -c
Where:
primary.pemis the private key to check
Note that this gives a different fingerprint from the one computed by ssh-keygen.
I think it'd be important to mention that this doesn't compute the same fingerprint that ssh-keygen would. –
Apperception
Thanks, done. Tweak it if you like, of course. I'll probably flag these comments for deletion after a while. –
Apperception
The fastest way if your keys are in an SSH agent:
$ ssh-add -L | ssh-keygen -E md5 -lf /dev/stdin
Each key in the agent will be printed as:
4096 MD5:8f:c9:dc:40:ec:9e:dc:65:74:f7:20:c1:29:d1:e8:5a /Users/cmcginty/.ssh/id_rsa (RSA)
Needed a quicker way to match my keys against those on my GitHub account and this answer helped me do just that. –
Amalle
$ ssh-add -l
will also work on Mac OS X v10.8 (Mountain Lion) - v10.10 (Yosemite).
It also supports the option -E to specify the fingerprint format so in case MD5 is needed (it's often used, e.g. by GitHub), just add -E md5 to the command.
+1 for the simplest answer. From
man ssh-add the option -l is " Lists fingerprints of all identities currently represented by the agent" –
Unworthy On Windows, if you're running PuTTY/Pageant, the fingerprint is listed when you load your PuTTY (.ppk) key into Pageant. It is pretty useful in case you forget which one you're using.
Thank you, Sometimes us Linux people forget about windows, especially as the OP mentioned putty. –
Mormon
@DmitriR117 why did you paint black public key as it can be known to the whole world? –
Benham
I guess there's always been a little bit of...Paranoia :) What if the quants can use it against me one day?! –
Tattler
This is the shell function I use to get my SSH key finger print for creating DigitalOcean droplets:
fingerprint() {
pubkeypath="$1"
ssh-keygen -E md5 -lf "$pubkeypath" | awk '{ print $2 }' | cut -c 5-
}
Put it in your ~/.bashrc, source it, and then you can get the finger print as so:
$ fingerprint ~/.ssh/id_rsa.pub
d2:47:0a:87:30:a0:c0:df:6b:42:19:55:b4:f3:09:b9
Sometimes you can have a bunch of keys in your ~/.ssh directory, and don't know which matches the fingerprint shown by GitHub/Gitlab/etc.
Here's how to show the key filenames and MD5 fingerprints of all the keys in your ~/.ssh directory:
cd ~/.ssh
find . -type f -exec printf "\n{}\n" \; -exec ssh-keygen -E md5 -lf {} \;
(For what the parameters mean, refer to this answer about the find command.
Note that the private/public files that belong to one key have the same fingerprint, so you'll see duplicates.
If your SSH agent is running, it is
ssh-add -l
to list RSA fingerprints of all identities, or -L for listing public keys.
If your agent is not running, try:
ssh-agent sh -c 'ssh-add; ssh-add -l'
And for your public keys:
ssh-agent sh -c 'ssh-add; ssh-add -L'
If you get the message: 'The agent has no identities.', then you have to generate your RSA key by ssh-keygen first.
I installed openssh, then attempted to connect to the server using putty. It's presenting an ssh-ed25519 256 key fingerprint, but I'm getting the "no identities" message. Do you know where this key could be found and listed? Is there a downside to using this key, vs generating a new RSA key? –
Unconditioned
Found it under
/etc/ssh/ssh_host_ed25519_key.pub. Second part of the question remains: any downside to using this auto generated key? –
Unconditioned Google Compute Engine shows the SSH host key fingerprint in the serial output of a Linux instance. The API can get that data from GCE, and there is no need to log in to the instance.
I didn't find it anywhere else but from the serial output. I think the fingerprint should be in some more programmer-friendly place.
However, it seems that it depends on the type of an instance. I am using instances of Debian 7 (Wheezy) f1-micro.
If you need to obtain that from the private key do it:
ssh-keygen -y -f key > key.pub && ssh-keygen -lf key.pub
for bash: When your keys are not in a file (when getting pub-keys from a vault)
echo -n "ssh-rsa AAA....." | ssh-keygen -E sha256 -lf /dev/stdin
echo -n "ssh-ed25519 AAA....." | ssh-keygen -E md5 -lf /dev/stdin
To check a remote SSH server prior to the first connection, you can give a look at www.server-stats.net/ssh/ to see all SHH keys for the server, as well as from when the key is known.
That's not like an SSL certificate, but definitely a must-do before connecting to any SSH server for the first time.
User wasn't looking for a third-party website, but a command line from the OS itself. –
Snowfield
So, it's basically the convergence plugin, except for SSH instead of SSL, and with only one (somewhat iffy) notary. That sound about right? –
Fission
On Fedora I do locate ~/.ssh which tells me keys are at
/root/.ssh
/root/.ssh/authorized_keys
The OP seems to know where to find their keys (This is not it,
~/.ssh/id*.pub is) and want to get their fingerprints. –
Teodor © 2022 - 2024 — McMap. All rights reserved.
function fingerprint() { ssh-keygen -lf $1 -E md5 }Then (after you source the bashrc) you can get a fingerprint withfingerprint ~/.ssh/key_file– Tartu;in the body, so usefunction fingerprint() { ssh-keygen -lf $1 -E md5; }instead. – Charger