SSH – How to View ECDSA Host Key of a Server

sshssh-keys

When getting a message like the following, how can I view the key of the server?

$ ssh example.com
Warning: the ECDSA host key for 'example' differs from the key for the IP address '10.0.0.2'
Offending key for IP in /Users/louis/.ssh/known_hosts:1

When doing ssh -v example.com I can see debug1: Server host key: ecdsa-sha2-nistp256 SHA256:..., but this is not the same as the ssh-rsa key eventually stored in known_hosts after correcting the problem.

Best Answer

One pretty easy way is to use ssh-keyscan. This command will request keys from the remote server. For example if I wanted the rsa, ecdsa, and ed25519 host keys from demo.example.org I might use this command.

$ ssh-keyscan -t rsa,ecdsa,ed25519 demo.example.org

# demo.example.org:22 SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
demo.example.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP6LHP2MDkPBtfBF546K9ZlPtJYVF3MMMn0ZMWEY6fkiAR+CPTfPo2l31qHMEJ0g1TT4MM0WBp8/okeBLlkgkhQ=
# demo.example.org:22 SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
demo.example.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAuVatNRkjLPQOqXF9sVJOgfzKcfVJUlaFv6vfw1sBcxujRnLy0GInn0HxraXxm60dZWlkIyjhzp7CFWK9PNJ/q2NrhPa1NcWLQ4zbandj4whXYXNdysY0LSQzefrXUiEHCIk1lmBuNx59tzAS0I5S6IYH6S72g+g16HNcaJ8SEJnmFpVu5nKzhNVZls47tM+MCVjMZ92xgWkziFgnDqarfxRgL8ZKgnwQ5jPaltNf73qamAuGsMnvR8VfNpeT3QFH2MzYO/um1HYMhiUMKJfL6S4hG0rIFbF4riXnav7XPWpBVRNtLdT2w2z996wxhrvBxNLQAKK2d6jUOHWC+7x7
# demo.example.org:22 SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
demo.example.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINEGDaHtAIq+r98FqHL6ERuZ8ZcGyNyu3iW0XOskqQbh

If you wanted the hashed versions and wanted to append them to your known_hosts you could use a command like this.

ssh-keyscan -t rsa,ecdsa,ed25519 -H demo.example.org 2>/dev/null >> .ssh/known_hosts

Related Solutions

How to Remove Strict RSA Key Checking in SSH and Understand the Issues

Please don't delete the entire known_hosts file as recommended by some people, this totally voids the point of the warning. It's a security feature to warn you that a man in the middle attack may have happened.

I suggest you identify why it thinks something has changed, most likely an SSH upgrade altered the encryption keys due to a possible security hole. You can then purge that specific line from your known_hosts file:

sed -i 377d ~/.ssh/known_hosts

This deletes line 377 as shown after the colon in the warning:

/home/emerson/.ssh/known_hosts:377

Alternatively you can remove the relevant key by doing the following

ssh-keygen -R 127.0.0.1 (obviously replace with the server's IP)

Please DO NOT purge the entire file and ensure this is actually the machine you want to be connecting to prior to purging the specific key.

Git for Windows – How to Tell Git Where to Find Private RSA Key

For Git Bash

If you are running msysgit (I am assuming you are) and are looking to run Git Bash (I recommend it over TortoiseGit, but I lean to the CLI more than GUI now), you need to figure out what your home directory is for Git Bash by starting it then type pwd (On Windows 7, it will be something like C:\Users\phsr I think). While you're in Git Bash, you should mkdir .ssh.

After you have the home directory, and a .ssh folder under that, you want to open PuTTYgen and open the key (.ppk file) you have previously created. Once your key is open, you want to select Conversions -> Export OpenSSH key and save it to HOME\.ssh\id_rsa. After you have the key at that location, Git Bash will recognize the key and use it.

Note: Comments indicate that this doesn't work in all cases. You may need to copy the OpenSSH key to Program Files\Git\.ssh\id_rsa (or Program Files (x86)\Git\.ssh\id_rsa).

For TortoiseGit

When using TortoiseGit, you need to set the SSH key via pacey's directions. You need to do that for every repository you are using TortoiseGit with.