You are browsing a read-only backup copy of Wikitech. The live site can be found at

Help:SSH Fingerprints: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
m (info about gen_fingerprints that is meanwhile installed everywhere)
(add "New fingerprint pages should be fully-protected.")
Line 1: Line 1:
New fingerprint pages should be fully-protected. Here is a list of all sub-pages:

Revision as of 17:33, 19 July 2017

New fingerprint pages should be fully-protected. Here is a list of all sub-pages:

To find this information, locally you can just run this:


on any host (from ./modules/base/files/environment/gen_fingerprints), or...:

for file in /etc/ssh/*; do ssh-keygen -lf $file; done

If your client shows the new base64 encoded format by default, use ssh -o FingerprintHash=md5 to compare to the format used here.

Remotely (and to format it for these pages), something like this should work:

import sys
if len(sys.argv) == 0:
	print('Must specify hostname')
hostname = sys.argv[1]
port = 22
if len(sys.argv) > 2:
	port = sys.argv[2]

import collections, subprocess, tempfile
with tempfile.NamedTemporaryFile() as tf:
	keyscanCommand = 'ssh-keyscan', '-t', 'rsa,ecdsa,ed25519', '-p', str(port), hostname, stdout = tf.file, stderr = open('/dev/null'))

	fingerprints = collections.defaultdict(list)
	for fingerprintHash in ['md5', 'sha256']:
		keygenCommand = ['ssh-keygen', '-l', '-E', fingerprintHash, '-f',]
		keygenProcess = subprocess.Popen(keygenCommand, stdout = subprocess.PIPE)
		stdout, stderr = keygenProcess.communicate()
		for line in stdout.decode('ascii').splitlines():
			bitlen, fingerprint, hostname, type = line.split(' ')

	for type, keys in fingerprints.items():
		print(';' + type + ':')
		for key in keys:
			print('* <code>' + key + '</code>')

Assuming you have OpenSSH 6.8+ (Ubuntu 15.10 provides 6.9). If you don't, you'll need to get rid of the 'sha256' list entry and remove the "'-E', fingerprintHash, ".