Calculate RSA key fingerprint

github ssh rsa ssh-keys

703,653

Solution 1

Run the following command to retrieve the SHA256 fingerprint of your SSH key (-l means "list" instead of create a new key, -f means "filename"):

$ ssh-keygen -lf /path/to/ssh/key

So for example, on my machine the command I ran was (using RSA public key):

$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)

To get the GitHub (MD5) fingerprint format with newer versions of ssh-keygen, run:

$ ssh-keygen -E md5 -lf <fileName>

Bonus information:

ssh-keygen -lf also works on known_hosts and authorized_keys files.

To find most public keys on Linux/Unix/OS X systems, run

$ find /etc/ssh /home/*/.ssh /Users/*/.ssh -name '*.pub' -o -name 'authorized_keys' -o -name 'known_hosts'

(If you want to see inside other users' homedirs, you'll have to be root or sudo.)

The ssh-add -l is very similar, but lists the fingerprints of keys added to your agent. (OS X users take note that magic passwordless SSH via Keychain is not the same as using ssh-agent.)

Solution 2

The newer SSH commands will list fingerprints as a SHA256 Key.

For example:

ssh-keygen -lf ~/.ssh/id_dsa.pub 
1024 SHA256:19n6fkdz0qqmowiBy6XEaA87EuG/jgWUr44ZSBhJl6Y (DSA)

If you need to compare it against an old fingerprint you also need to specify to use the MD5 fingerprint hashing function.

ssh-keygen -E md5 -lf ~/.ssh/id_dsa.pub
2048 MD5:4d:5b:97:19:8c:fe:06:f0:29:e7:f5:96:77:cb:3c:71 (DSA)

Also available: -E sha1

Update... YES...yes... I know... DSA keys for SSH should no longer be used, the older RSA key or newer ecliptic keys should be used instead.

To those 'admins' that keep editing the command I used in the above. STOP CHANGING IT! You make the command and resulting output mis-match!

Solution 3

To see your key on Ubuntu, just enter the following command on your terminal:

ssh-add -l

You will get an output like this: 2568 0j:20:4b:88:a7:9t:wd:19:f0:d4:4y:9g:27:cf:97:23 yourName@ubuntu (RSA)

If however you get an error like; Could not open a connection to your authentication agent.
Then it means that ssh-agent is not running. You can start/run it with: ssh-agent bash (thanks to @Richard in the comments) and then re-run ssh-add -l

Solution 4

A key pair (the private and public keys) will have the same fingerprint; so in the case you can't remember which private key belong to which public key, find the match by comparing their fingerprints.

The most voted answer by Marvin Vinto provides the fingerprint of a public SSH key file. The fingerprint of the corresponding private SSH key can also be queried, but it requires a longer series of step, as shown below.

Load the SSH agent, if you haven't done so. The easiest way is to invoke
```
$ ssh-agent bash
```
or
```
$ ssh-agent tcsh
```
(or another shell you use).
Load the private key you want to test:
```
$ ssh-add /path/to/your-ssh-private-key
```
You will be asked to enter the passphrase if the key is password-protected.
Now, as others have said, type
```
$ ssh-add -l
1024 fd:bc:8a:81:58:8f:2c:78:86:a2:cf:02:40:7d:9d:3c you@yourhost (DSA)
```
fd:bc:... is the fingerprint you are after. If there are multiple keys, multiple lines will be printed, and the last line contains the fingerprint of the last loaded key.
If you want to stop the agent (i.e., if you invoked step 1 above), then simply type `exit' on the shell, and you'll be back on the shell prior to the loading of ssh agent.

I do not add new information, but hopefully this answer is clear to users of all levels.

Solution 5

Reproducing content from AWS forums here, because I found it useful to my use case - I wanted to check which of my keys matched ones I had imported into AWS

openssl pkey -in ~/.ssh/ec2/primary.pem -pubout -outform DER | openssl md5 -c

Where:

primary.pem is the private key to check

Note that this gives a different fingerprint from the one computed by ssh-keygen.

View more solutions

703,653

Author by

Zakoff

Updated on August 14, 2022

Comments

Zakoff almost 2 years

I need to do the SSH key audit for GitHub, but I am not sure how do find my RSA key fingerprint. I originally followed a guide to generate an SSH key on Linux.

What is the command I need to enter to find my current RSA key fingerprint?
pal4life over 12 years

How do I find what is the path?
Andrew Barber over 11 years

User wasn't looking for a third-party website, but a command line from the OS itself.
Sheharyar almost 11 years

Also, if you simply want the public key, run: cat ~/.ssh/id_rsa.pub
rogerdpack almost 11 years

If you're not on Ubuntu you might get this unfortunately "Could not open a connection to your authentication agent."
Mikael Call over 10 years

Since your example hex fingerprint is 32 digits I believe it would be an MD5 fingerprint, correct? As opposed to a 40 digit fingerprint, which would indicate SHA1
Zorawar over 10 years

On non-Ubuntu systems the relevant file may be in /etc/ssh, e.g. /etc/ssh/ssh_host_rsa_key.pub
Rufflewind over 9 years

This only works if you have the authentication agent running.
Jay Killeen over 9 years

Copy the long version (what you give to Github or Digital Ocean etc) to xclip with xclip -sel clip < ~/.ssh/id_rsa.pub. If you don't have xclip do sudo apt-get install xclip first
Albertas Agejevas about 9 years

The first paragraph is untrue, ssh-add -l and ssh-keygen -l return the same fingerprint for a given keypair. Also, it should be a lowercase -l, not uppercase.
Wirawan Purwanto about 9 years

I don't contest that ssh-add -l and ssh-keygen -l return the same fingerprint for a given keypair. But I don't understand what was wrong with my original statements on first paragraph. I added a sentence to clarify.
Albertas Agejevas about 9 years

It's just simper to point ssh-keygen to a key, rather than start the agent, then load the key, then get the fingerprint.
Basil Bourque about 9 years

FYI, on Mac OS X (Snow Leopard): ssh-keygen -lf /private/etc/ssh_host_rsa_key.pub.
Parthian Shot almost 9 years

Worth noting that the fingerprint should be the same for both keys in a public / private keypair; so the fingerprint of .ssh/id_rsa should be the same as the one for .ssh/id_rsa.pub. So, you can use either one (and, if you're like me and love tab-completion, it makes the job take 2 fewer keystrokes. Efficiency!).
Parthian Shot almost 9 years

So, it's basically the convergence plugin, except for SSH instead of SSL, and with only one (somewhat iffy) notary. That sound about right?
Reece over 8 years

If you're comparing against fingerprints listed in the AWS console, this will save you time... serverfault.com/questions/603982/…
Jonathan Y. over 8 years

It's worth mentioning here that you can tell ssh to show you the server's old MD5 fingerprint using ssh -o FingerprintHash=md5 example.org, as mentioned in this answer. (I was just searching for that, and this answer led me to that one, so I figure others might have a similar experience.)
Richard Kenneth Niescior over 8 years

To get the authentication agent running you can use ssh-agent bash and proceed with life. In life as always; ssh-agent isn't guaranteed as a consistent implementation on all systems.
David Tonhofer about 8 years

If you have the private key only, you do not necessarily need to run ssh-agent. Assuming PRIVKEY has been set to the private key file, and PUBKEY has been set to the (initially nonexistent) public key file, do: ssh-keygen -y -f "${PRIVKEY}" > "${PUBKEY}" to regenerate the SSH public key, then ssh-keygen -E md5 -l -v -f "${PUBKEY}" if you want the MD5 hash or just ssh-keygen -l -v -f "${PUBKEY}" if you want the SHA-256 hash (SHA-256 being the default now).
Pacerier almost 8 years

@Zorawar, even ubuntu now is /etc/ssh/ssh_host_rsa_key.pub
AnneTheAgile almost 8 years

Another tip for linux; The option -F (dump fingerprint) of ssh-keygen-g3 will display the fingerprint of the key: $ ssh-keygen-g3 -F /path/to/keyfile.pub answers.ssh.com/questions/494/…
hamx0r over 7 years

This answer is most helpful for those wishing to compare their keys with what github.com shows (ie the MD5 formatted in hex)
pjcard over 7 years

Also very helpful for what comparing against what putty will report.
Jmons about 7 years

Thank you, Sometimes us Linux people forget about windows, especially as the OP mentioned putty.
Philipp almost 7 years

You can also just type ssh-keygen -l. It will then ask you for the file and will suggest your public key if present. This way you don't need to type the path yourself.
Gabriel Staples almost 7 years

The command you gave to "Find most public on a Linux/Unix/OSX system" was super helpful! My rsa key on a Raspberry Pi for instance is found in: /etc/ssh/ssh_host_rsa_key.pub
evanjs over 6 years

Needed a quicker way to match my keys against those on my GitHub account and this answer helped me do just that.
XavierStuvw almost 6 years

+1 for the simplest answer. From man ssh-add the option -l is " Lists fingerprints of all identities currently represented by the agent"
lordcheeto over 5 years

I installed openssh, then attempted to connect to the server using putty. It's presenting an ssh-ed25519 256 key fingerprint, but I'm getting the "no identities" message. Do you know where this key could be found and listed? Is there a downside to using this key, vs generating a new RSA key?
lordcheeto over 5 years

Found it under /etc/ssh/ssh_host_ed25519_key.pub. Second part of the question remains: any downside to using this auto generated key?
Gert van den Berg about 5 years

The OP seems to know where to find their keys (This is not it, ~/.ssh/id*.pub is) and want to get their fingerprints.
Michu93 over 4 years

@DmitriR117 why did you paint black public key as it can be known to the whole world?
aderchox almost 4 years

Currently GitHub shows the former format. By the way, in my case the SHA256 generated on my local key doesn't match with that one sent by GitHub! Is that an MITM? Even if I know it is, what am I supposed to do about it?
David Z over 3 years

I think it'd be important to mention that this doesn't compute the same fingerprint that ssh-keygen would.
David Z over 3 years

Thanks, done. Tweak it if you like, of course. I'll probably flag these comments for deletion after a while.
Dmitri R117 about 3 years

I guess there's always been a little bit of...Paranoia :) What if the quants can use it against me one day?!
Ali about 2 years

I was looking for this, because in Centos 7 and Centos 8 the defaults are different!