Ssh – Given keys in ~/.ssh/authorized_keys format, can you determine key strength easily

opensshssh

~/.ssh/authorized_keys[2] contains the list of public keys.

Unfortunately, each public key does not specify the key strength ( number of bits ).

Is there a utility that can process this file line by line and output the key strength?

I checked man pages for ssh-keygen, but it looks like it would only work with private keys.

Also, is there a tool that would output sha1 hash the same way as it is displayed in pageant Putty tool?

The format I am looking for:

Key Algorithm  Strength  Hash                                             Comment
ssh-rsa        2048      00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff  user1@host1
ssh-rsa        2048      11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:11  user2@host2

Best Answer

ssh-keygen can do the core of the work (generating a fingerprint from a public key), but it will not automatically process a list of multiple keys as is usually found in an authorized_keys file.

Here is a script that splits up the keys, feeds them to ssh-keygen and produces the table you want:

#!/bin/sh

# usage: authkeys-report <authorized_keys-file>    

set -ue

tmp="$(mktemp -t fingerprint-authkeys.XXXXXXXX)"
trap 'rm -f "$tmp"' 0

while read opts key; do
    case "$opts" in
        [0-9]*|ssh-dss|ssh-rsa)
            # not options, first "word" is part of key
            key="$opts $key"
        ;;
    esac
    echo "$key" >$tmp
    set -- $(ssh-keygen -lf "$tmp")
    bits="$1" fingerprint="$2"

    set -- $key # Note: will mangle whitespace in the comment
    case "$1" in
        [0-9]*) # SSH v1 key
            type=rsa1
            shift 3
        ;;
        ssh-rsa|ssh-dss) # SSH v2 key
            type="$1"
            shift 2
        ;;
        *)
            type=unknown
            set --
        ;;
    esac

    printf '%-14s %-9s %s %s\n' "$type" "$bits" "$fingerprint" "$*"
done <$1
Related Question