OpenBSDs "ssh-keygen -l" output format has changed in 5.7. How to verify the host key when connecting from older ssh versions?
Until OpenBSD 5.6 the host_keys fingerprint output format was like this:
# ssh-keygen -lf ssh_host_ecdsa_key.pub
256 9d:76:ba:86:80:ef:63:eb:41:2f:13:f3:f4:b5:0b:35 root@bsd.domain.de (ECDSA)
In OpenBSD 5.7 the output format has changed:
# ssh-keygen -lf ssh_host_ecdsa_key.pub
256 SHA256:6vYsd91sIrtVqPXazpPfRxj9QDa+1+Ns2C2lKSUph3c root@bsd.domain.de (ECDSA)
When connecting from a OpenBSD5.7 ssh client to a OpenBSD5.7 sshd, a verification is possible:
# ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:6vYsd91sIrtVqPXazpPfRxj9QDa+1+Ns2C2lKSUph3c.
Are you sure you want to continue connecting (yes/no)?
How do I verify the keys fingerprints when connecting from a OpenBSD 5.6 to a OpenBSD 5.7 machine? Is there a way to convert the output format?
Best Answer
In OpenBSD 5.7 ssh-keygen uses SHA256 for the default fingerprint hash.
You're looking for the MD5 hash of the fingerprint: