SSH-Keygen Fingerprint and SSH giving fingerprints with lots of letters and numbers

ssh

At the advice of another SE member (I'm cross posting here).

I've been using SSH and public key crypto for a few months. I've run into a new problem with my install of the newest public beta of OS X, and can't find an answer online.

When I run SSH-Keygen -lf in the OS X terminal, the fingerprint I get is:

SHA256:FAESFJ*(WY*(T$NGN(*G(NURGOUfj34n98tj8v3f485 
[That's not the actual string, but you get the picture]

I'm used to something like

2048 0a:11:2b:33:44:55:66:77:88

Similarly, after deleting my old known_hosts file, when attempting to SSH into some of my machines, I was greeted with the standard warning that the host was unknown and to check the fingerprint. However, again, the fingerprint is being displayed as:

SHA256:[Mix of letters and numbers]

When I run ssh-keygen -lf on my ubuntu installation, I get the standard

2048 0a:1b:2c:[ETC ETC]

Am I doing something wrong? Is there another option or parameter I need to flick?

In the meantime, to make sure I'm safe, I did

ssh-keyscan [IP address] > /path/to/file
ssh-keygen -lf /path/to/same/file

The result was the same as what I was prompted with when I SSH'd in. So I'm safe, and not too worried about security. But I'd like to learn what's going on and if I'm doing something wrong.

Thanks in advance!

Edit: I should add that SSH-Keygen -lf used to work as expected before this upgrade. This suggests that I just need to flip a switch to change the output from gobbledygook to the more "traditional" fingerprint output.

Best Answer

Turns out that SSH recently switched from using MD5 fingerprints (what I refer to as a "traditional" fingerprint) and now uses SHA256 fingerprints (what I referred to as gobbledygook).

I'm guessing that with El Capitan OS X is now using a newer version of SSH that is using the new SHA256 default.

For those of you who find this, although SSH will give you an SHA256 fingerprint by default, you can ask SSH to give you an MD5 Fingerprint.

ssh -o FingerprintHash=md5 [server]

It appears that on my Mac, that the command

ssh-keygen -lf /path/to/key

now defaults to an SHA 256 fingerprint. However, if you're using Ubuntu, it looks like ssh-keygen is still defaulting to MD5 (maybe I need to update my ssh package on Ubuntu).

Here is the post that I finally found once I started using the right terminology: https://superuser.com/questions/929566/sha256-ssh-fingerprint-given-by-the-client-but-only-md5-fingerprint-known-for-se

Related Question