Linux – get SSH key fingerprint in (old) hex format on new version of openssh

freebsdlinuxopensshssh

It seems that openssh has changed the way it displays key fingerprints.

I am trying to ssh from a client machine to a server:

  • client: ubuntu 14.04 running OpenSSH 6.6.1
  • server: FreeBSD running OpenSSH 7.2p2.

The client reports the md5 hash of the server's key as a sequence of 16 pairs of hex digits, like this:

a7:b1:3e:3d:84:24:a2:5a:91:5f:6f:e9:cf:dd:2b:6a

The server defaults to using the sha256 hash, but thanks to this answer I can force it to give the sha1 hash by running:

[root@host /etc/ssh]# ssh-keygen -l -E sha1 -f ssh_host_ecdsa_key.pub

I want the result to look like this:

a7:b1:3e:3d:84:24:a2:5a:91:5f:6f:e9:cf:dd:2b:6a

but instead I get this:

256 SHA1:KIh0ejR4O+RqrSq7JdGAASddRfI root@host.local (ECDSA)

It looks to me like a base64 encoded version of the fingerprint is now being displayed instead of hex digits.

How can I get the checksum of the server's key in the same format as that reported by the (older) client (colon separated hex digits, sha1 hash) so as to check that they are the same?

EDIT:
The old version of SSH gives the md5 checksum, not the sha1 checksum as I mistakenly thought. Using that checksum (as the now accepted answer should state) in the -E option gives the desired output.

Best Answer

The client reports the sha1 hash of the server's key as a sequence of 16 pairs of hex digits, like this:

    a7:b1:3e:3d:84:24:a2:5a:91:5f:6f:e9:cf:dd:2b:6a

This is MD5 hash.

As you can see running

ssh-keygen -l -E md5 -f ssh_host_ecdsa_key.pub

will get you the same fingerprint you need without such harakiri you are explaining in your answer.