Calculate RSA key fingerprint

Question

I need to do the SSH key audit for GitHub, but I am not sure how do find my RSA key fingerprint. I originally followed a guide to generate an SSH key on Linux.

What

Answer 1

Sometimes you can have a bunch of keys in your ~/.ssh directory, and don't know which matches the fingerprint shown by GitHub/Gitlab/etc.

Here's how to show the key filenames and MD5 fingerprints of all the keys in your ~/.ssh directory:

cd ~/.ssh
find . -type f -exec printf "\n{}\n" \; -exec ssh-keygen -E md5 -lf {} \;

(For what the parameters mean, refer to this answer about the find command.

Note that the private/public files that belong to one key have the same fingerprint, so you'll see duplicates.

Answer 2

Google Compute Engine shows the SSH host key fingerprint in the serial output of a Linux instance. The API can get that data from GCE, and there is no need to log in to the instance.

I didn't find it anywhere else but from the serial output. I think the fingerprint should be in some more programmer-friendly place.

However, it seems that it depends on the type of an instance. I am using instances of Debian 7 (Wheezy) f1-micro.

Answer 3

This is the shell function I use to get my SSH key finger print for creating DigitalOcean droplets:

fingerprint() {
    pubkeypath="$1"
    ssh-keygen -E md5 -lf "$pubkeypath" | awk '{ print $2 }' | cut -c 5-
}

Put it in your ~/.bashrc, source it, and then you can get the finger print as so:

$ fingerprint ~/.ssh/id_rsa.pub
d2:47:0a:87:30:a0:c0:df:6b:42:19:55:b4:f3:09:b9

Answer 4

The newer SSH commands will list fingerprints as a SHA256 Key.

For example:

ssh-keygen -lf ~/.ssh/id_dsa.pub 
1024 SHA256:19n6fkdz0qqmowiBy6XEaA87EuG/jgWUr44ZSBhJl6Y (DSA)

If you need to compare it against an old fingerprint you also need to specify to use the MD5 fingerprint hashing function.

ssh-keygen -E md5 -lf ~/.ssh/id_dsa.pub
2048 MD5:4d:5b:97:19:8c:fe:06:f0:29:e7:f5:96:77:cb:3c:71 (DSA)

Also available: -E sha1

Update... YES...yes... I know... DSA keys for SSH should no longer be used, the older RSA key or newer ecliptic keys should be used instead.

To those 'admins' that keep editing the command I used in the above. STOP CHANGING IT! You make the command and resulting output mis-match!

Answer 5

To see your key on Ubuntu, just enter the following command on your terminal:

ssh-add -l

You will get an output like this: 2568 0j:20:4b:88:a7:9t:wd:19:f0:d4:4y:9g:27:cf:97:23 yourName@ubuntu (RSA)

If however you get an error like; Could not open a connection to your authentication agent.
Then it means that ssh-agent is not running. You can start/run it with: ssh-agent bash (thanks to @Richard in the comments) and then re-run ssh-add -l

Answer 6

Reproducing content from AWS forums here, because I found it useful to my use case - I wanted to check which of my keys matched ones I had imported into AWS

openssl pkey -in ~/.ssh/ec2/primary.pem -pubout -outform DER | openssl md5 -c

Where: - primary.pem is the private key to check