Calculate RSA key fingerprint
Solution 1
Run the following command to retrieve the SHA256 fingerprint of your SSH key (-l
means "list" instead of create a new key, -f
means "filename"):
$ ssh-keygen -lf /path/to/ssh/key
So for example, on my machine the command I ran was (using RSA public key):
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /Users/username/.ssh/id_rsa.pub (RSA)
To get the GitHub (MD5) fingerprint format with newer versions of ssh-keygen, run:
$ ssh-keygen -E md5 -lf <fileName>
Bonus information:
ssh-keygen -lf
also works on known_hosts
and authorized_keys
files.
To find most public keys on Linux/Unix/OS X systems, run
$ find /etc/ssh /home/*/.ssh /Users/*/.ssh -name '*.pub' -o -name 'authorized_keys' -o -name 'known_hosts'
(If you want to see inside other users' homedirs, you'll have to be root or sudo.)
The ssh-add -l
is very similar, but lists the fingerprints of keys added to your agent. (OS X users take note that magic passwordless SSH via Keychain is not the same as using ssh-agent.)
Solution 2
The newer SSH commands will list fingerprints as a SHA256 Key.
For example:
ssh-keygen -lf ~/.ssh/id_dsa.pub
1024 SHA256:19n6fkdz0qqmowiBy6XEaA87EuG/jgWUr44ZSBhJl6Y (DSA)
If you need to compare it against an old fingerprint you also need to specify to use the MD5 fingerprint hashing function.
ssh-keygen -E md5 -lf ~/.ssh/id_dsa.pub
2048 MD5:4d:5b:97:19:8c:fe:06:f0:29:e7:f5:96:77:cb:3c:71 (DSA)
Also available: -E sha1
Update... YES...yes... I know... DSA keys for SSH should no longer be used, the older RSA key or newer ecliptic keys should be used instead.
To those 'admins' that keep editing the command I used in the above. STOP CHANGING IT! You make the command and resulting output mis-match!
Solution 3
To see your key on Ubuntu, just enter the following command on your terminal:
ssh-add -l
You will get an output like this:
2568 0j:20:4b:88:a7:9t:wd:19:f0:d4:4y:9g:27:cf:97:23
yourName@ubuntu (RSA)
If however you get an error like; Could not open a connection to your authentication agent.
Then it means that ssh-agent is not running. You can start/run it with:
ssh-agent bash
(thanks to @Richard in the comments) and then re-run ssh-add -l
Solution 4
A key pair (the private and public keys) will have the same fingerprint; so in the case you can't remember which private key belong to which public key, find the match by comparing their fingerprints.
The most voted answer by Marvin Vinto provides the fingerprint of a public SSH key file. The fingerprint of the corresponding private SSH key can also be queried, but it requires a longer series of step, as shown below.
-
Load the SSH agent, if you haven't done so. The easiest way is to invoke
$ ssh-agent bash
or
$ ssh-agent tcsh
(or another shell you use).
-
Load the private key you want to test:
$ ssh-add /path/to/your-ssh-private-key
You will be asked to enter the passphrase if the key is password-protected.
-
Now, as others have said, type
$ ssh-add -l 1024 fd:bc:8a:81:58:8f:2c:78:86:a2:cf:02:40:7d:9d:3c you@yourhost (DSA)
fd:bc:...
is the fingerprint you are after. If there are multiple keys, multiple lines will be printed, and the last line contains the fingerprint of the last loaded key. If you want to stop the agent (i.e., if you invoked step 1 above), then simply type `exit' on the shell, and you'll be back on the shell prior to the loading of ssh agent.
I do not add new information, but hopefully this answer is clear to users of all levels.
Solution 5
Reproducing content from AWS forums here, because I found it useful to my use case - I wanted to check which of my keys matched ones I had imported into AWS
openssl pkey -in ~/.ssh/ec2/primary.pem -pubout -outform DER | openssl md5 -c
Where:
-
primary.pem
is the private key to check
Note that this gives a different fingerprint from the one computed by ssh-keygen
.
Zakoff
Updated on August 14, 2022Comments
-
Zakoff almost 2 years
I need to do the SSH key audit for GitHub, but I am not sure how do find my RSA key fingerprint. I originally followed a guide to generate an SSH key on Linux.
What is the command I need to enter to find my current RSA key fingerprint?
-
pal4life over 12 yearsHow do I find what is the path?
-
Andrew Barber over 11 yearsUser wasn't looking for a third-party website, but a command line from the OS itself.
-
Sheharyar almost 11 yearsAlso, if you simply want the public key, run:
cat ~/.ssh/id_rsa.pub
-
rogerdpack almost 11 yearsIf you're not on Ubuntu you might get this unfortunately "Could not open a connection to your authentication agent."
-
Mikael Call over 10 yearsSince your example hex fingerprint is 32 digits I believe it would be an MD5 fingerprint, correct? As opposed to a 40 digit fingerprint, which would indicate SHA1
-
Zorawar over 10 yearsOn non-Ubuntu systems the relevant file may be in /etc/ssh, e.g. /etc/ssh/ssh_host_rsa_key.pub
-
Rufflewind over 9 yearsThis only works if you have the authentication agent running.
-
Jay Killeen over 9 yearsCopy the long version (what you give to Github or Digital Ocean etc) to xclip with
xclip -sel clip < ~/.ssh/id_rsa.pub
. If you don't have xclip dosudo apt-get install xclip
first -
Albertas Agejevas about 9 yearsThe first paragraph is untrue,
ssh-add -l
andssh-keygen -l
return the same fingerprint for a given keypair. Also, it should be a lowercase-l
, not uppercase. -
Wirawan Purwanto about 9 yearsI don't contest that
ssh-add -l
andssh-keygen -l
return the same fingerprint for a given keypair. But I don't understand what was wrong with my original statements on first paragraph. I added a sentence to clarify. -
Albertas Agejevas about 9 yearsIt's just simper to point ssh-keygen to a key, rather than start the agent, then load the key, then get the fingerprint.
-
Basil Bourque about 9 yearsFYI, on Mac OS X (Snow Leopard):
ssh-keygen -lf /private/etc/ssh_host_rsa_key.pub
. -
Parthian Shot almost 9 yearsWorth noting that the fingerprint should be the same for both keys in a public / private keypair; so the fingerprint of
.ssh/id_rsa
should be the same as the one for.ssh/id_rsa.pub
. So, you can use either one (and, if you're like me and love tab-completion, it makes the job take 2 fewer keystrokes. Efficiency!). -
Parthian Shot almost 9 yearsSo, it's basically the convergence plugin, except for SSH instead of SSL, and with only one (somewhat iffy) notary. That sound about right?
-
Reece over 8 yearsIf you're comparing against fingerprints listed in the AWS console, this will save you time... serverfault.com/questions/603982/…
-
Jonathan Y. over 8 yearsIt's worth mentioning here that you can tell
ssh
to show you the server's old MD5 fingerprint usingssh -o FingerprintHash=md5 example.org
, as mentioned in this answer. (I was just searching for that, and this answer led me to that one, so I figure others might have a similar experience.) -
Richard Kenneth Niescior over 8 yearsTo get the authentication agent running you can use
ssh-agent bash
and proceed with life. In life as always;ssh-agent
isn't guaranteed as a consistent implementation on all systems. -
David Tonhofer about 8 yearsIf you have the private key only, you do not necessarily need to run
ssh-agent
. AssumingPRIVKEY
has been set to the private key file, andPUBKEY
has been set to the (initially nonexistent) public key file, do:ssh-keygen -y -f "${PRIVKEY}" > "${PUBKEY}"
to regenerate the SSH public key, thenssh-keygen -E md5 -l -v -f "${PUBKEY}"
if you want the MD5 hash or justssh-keygen -l -v -f "${PUBKEY}"
if you want the SHA-256 hash (SHA-256 being the default now). -
Pacerier almost 8 years@Zorawar, even ubuntu now is
/etc/ssh/ssh_host_rsa_key.pub
-
AnneTheAgile almost 8 yearsAnother tip for linux; The option -F (dump fingerprint) of ssh-keygen-g3 will display the fingerprint of the key: $ ssh-keygen-g3 -F /path/to/keyfile.pub answers.ssh.com/questions/494/…
-
hamx0r over 7 yearsThis answer is most helpful for those wishing to compare their keys with what github.com shows (ie the MD5 formatted in hex)
-
pjcard over 7 yearsAlso very helpful for what comparing against what putty will report.
-
Jmons about 7 yearsThank you, Sometimes us Linux people forget about windows, especially as the OP mentioned putty.
-
Philipp almost 7 yearsYou can also just type
ssh-keygen -l
. It will then ask you for the file and will suggest your public key if present. This way you don't need to type the path yourself. -
Gabriel Staples almost 7 yearsThe command you gave to "Find most public on a Linux/Unix/OSX system" was super helpful! My rsa key on a Raspberry Pi for instance is found in:
/etc/ssh/ssh_host_rsa_key.pub
-
evanjs over 6 yearsNeeded a quicker way to match my keys against those on my GitHub account and this answer helped me do just that.
-
XavierStuvw almost 6 years+1 for the simplest answer. From
man ssh-add
the option-l
is " Lists fingerprints of all identities currently represented by the agent" -
lordcheeto over 5 yearsI installed openssh, then attempted to connect to the server using putty. It's presenting an ssh-ed25519 256 key fingerprint, but I'm getting the "no identities" message. Do you know where this key could be found and listed? Is there a downside to using this key, vs generating a new RSA key?
-
lordcheeto over 5 yearsFound it under
/etc/ssh/ssh_host_ed25519_key.pub
. Second part of the question remains: any downside to using this auto generated key? -
Gert van den Berg about 5 yearsThe OP seems to know where to find their keys (This is not it,
~/.ssh/id*.pub
is) and want to get their fingerprints. -
Michu93 over 4 years@DmitriR117 why did you paint black public key as it can be known to the whole world?
-
aderchox almost 4 yearsCurrently GitHub shows the former format. By the way, in my case the SHA256 generated on my local key doesn't match with that one sent by GitHub! Is that an MITM? Even if I know it is, what am I supposed to do about it?
-
David Z over 3 yearsI think it'd be important to mention that this doesn't compute the same fingerprint that ssh-keygen would.
-
David Z over 3 yearsThanks, done. Tweak it if you like, of course. I'll probably flag these comments for deletion after a while.
-
Dmitri R117 about 3 yearsI guess there's always been a little bit of...Paranoia :) What if the quants can use it against me one day?!
-
Ali about 2 yearsI was looking for this, because in Centos 7 and Centos 8 the defaults are different!