This is useful for comparing keys from GitHub or from SSH.
To print out keys in SHA1 format:
ssh-keygen -l -f ~/.ssh/foobar.id_rsa
To print out keys in MD5 format:
ssh-keygen -l -E md5 -f ~/.ssh/bazbarn.id_rsa
Remember to change the filename as required.
If you’ve ever tried to connected to a new server over SSH, you would’ve seen a message similar to the following:
# ssh iridium
The authenticity of host ‘[foo]’ can’t be established.
RSA key fingerprint is a2:b9:c5:d3:e5:fc:a6:b3:c7:da:e1:f0:ac:b9:c9:d5.
Are you sure you want to continue connecting (yes/no)?
Then you may have wondered, “Well, what *is* the fingerprint of my server supposed to be?”. Basically, in order to do the authentication of the host, you should run the command below (at SSH server install time, or over a “secure” channel) in order to get your hosts SSH fingerprint:
# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
2048 a2:b9:c5:d3:e5:fc:a6:b3:c7:da:e1:f0:ac:b9:c9:d5 root@foo (RSA)
You should then be able to compare the two fingerprints to determine whether the server you’re connecting to is in fact the one you’re trying to connect to and isn’t some sort of honeypot.
Occasionally (especially in the cloud world, where instances are cattle), the SSH fingerprint for a host changes. When this happens, you will see a warning.
If the warning is expected, the usual remedy is to delete the offending key from your “known_hosts” file (typically found under ~/.ssh/known_hosts). However, when you need to do this across a bunch of machines and you don’t know what line number the host will be on, on each machine, the following command might be useful:
sed -i -e ‘/[webserver-03.example.com]:2222/d’ ~/.ssh/known_hosts
It deletes any line which matches the host “[webserver-03.example.com]:2222” in the default “known_hosts” file.