Ssh-keygen key verification changed in OpenBSD 5.7, how to verify host_key

fingerprintopenbsdssh-keygen

OpenBSDs "ssh-keygen -l" output format has changed in 5.7. How to verify the host key when connecting from older ssh versions?

Until OpenBSD 5.6 the host_keys fingerprint output format was like this:

# ssh-keygen -lf ssh_host_ecdsa_key.pub
256 9d:76:ba:86:80:ef:63:eb:41:2f:13:f3:f4:b5:0b:35  root@bsd.domain.de (ECDSA)

In OpenBSD 5.7 the output format has changed:

# ssh-keygen -lf ssh_host_ecdsa_key.pub
256 SHA256:6vYsd91sIrtVqPXazpPfRxj9QDa+1+Ns2C2lKSUph3c root@bsd.domain.de (ECDSA)

When connecting from a OpenBSD5.7 ssh client to a OpenBSD5.7 sshd, a verification is possible:

# ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:6vYsd91sIrtVqPXazpPfRxj9QDa+1+Ns2C2lKSUph3c.
Are you sure you want to continue connecting (yes/no)?

How do I verify the keys fingerprints when connecting from a OpenBSD 5.6 to a OpenBSD 5.7 machine? Is there a way to convert the output format?

Best Answer

In OpenBSD 5.7 ssh-keygen uses SHA256 for the default fingerprint hash.

You're looking for the MD5 hash of the fingerprint:

# ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub

Related Solutions

SSH – How to Change Private Key Passphrase

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]

AWS – How to Verify Private Key Matches Keypair

There are two methods, depending on how you created your SSH key as described in Verifying Your Key Pair's Fingerprint in AWS docs.

Here is my SSH key fingerprint in the console:

And here is how to get the same fingerprint from the command line:

~ $ openssl rsa -in ~/.ssh/aws-sandpit.pem -pubout -outform DER | openssl md5 -c
writing RSA key
(stdin)= ae:ae:56:84:f9:72:c4:d1:0a:b8:e9:3b:ab:d4:a7:00

If that doesn't match try this:

~ $ openssl pkcs8 -in path_to_private_key -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c

Hope that helps :)

Best Answer

Related Solutions

SSH – How to Change Private Key Passphrase

AWS – How to Verify Private Key Matches Keypair

Related Topic