Find SSH Host Key Fingerprint in Linux

In Linux, getting the SSH host key fingerprint is crucial for verifying the identity of an SSH server before establishing a connection. Here are the methods to retrieve the host fingerprint:

Method 1: Using ssh-keygen

Local Server

To find the fingerprint of a local SSH server’s host key, use:

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
    • The -l option displays the fingerprint.
    • The -f option specifies the key file.
    • /etc/ssh/ssh_host_rsa_key.pub is the default path for the public key file of the SSH server.

3072 SHA256:q0WFctlFbpSL2DHEPqDjCmanxpqYQBjC9jY8Cq1J5ZA no comment (RSA)

PartMeaning
3072The key length in bits — this is a 3072-bit RSA key, which is strong and secure.
SHA256:q0WFctlFbpSL…The SHA-256 fingerprint — a unique “digital fingerprint” of the key. You use this to confirm you’re connecting to the right server.
no commentThere’s no comment field in this key file. (Keys can include comments like a hostname or username, but this one doesn’t.)
(RSA)The key type — in this case, an RSA host key.

 

Remote Server

For a remote SSH server’s fingerprint, combine ssh-keygen with ssh-keyscan:

ssh-keyscan hostname_or_IP | ssh-keygen -lf -
  • ssh-keyscan retrieves the public key of the remote server.
  • The output is piped into ssh-keygen -lf – to compute and show the fingerprint.

🔑 Command Breakdown

$ ssh-keyscan example.com | ssh-keygen -lf -
# example.com:22 SSH-2.0-OpenSSH_8.0
# example.com:22 SSH-2.0-OpenSSH_8.0
# example.com:22 SSH-2.0-OpenSSH_8.0
3072 SHA256:yO4uzmvTEDjzosjpROXME6Fjs0WBXYSTbK9pTGWJYl4 example.com (RSA)
256 SHA256:IXIXEuhs2cWfFpCmA4LUhMimFsC84jkZPFC95lSj3yo example.com (ECDSA)
256 SHA256:MKIYbEBoOnw2B/WKnckzeMqyPIY299ZwBknfkPsR3ms example.com (ED25519)
  1. ssh-keyscan example.com
    • Connects to example.com on port 22.
    • Fetches the server’s public SSH host keys (RSA, ECDSA, ED25519).
    • It does not log you in — it just grabs the keys.
  2. | (pipe)
    • Sends the output of ssh-keyscan directly into the next command.
  3. ssh-keygen -lf -
    • Reads the keys from standard input ().
    • l means “list fingerprints.”
    • f specifies the file to read keys from (in this case, stdin).
    • Prints a fingerprint for each key in a human-readable format.

📄 Output Explained

# example.com:22 SSH-2.0-OpenSSH_8.0
  • This is just an informational line:
    • Host: example.com
    • Port: 22 (default SSH port)
    • SSH Server Version: OpenSSH_8.0
3072 SHA256:yO4uzmvTEDjzosjpROXME6Fjs0WBXYSTbK9pTGWJYl4 example.com (RSA)
  • 3072 → Key length (bits)
  • SHA256:… → Fingerprint (unique identifier for this key)
  • example.com → Host name
  • (RSA) → Key type (RSA host key)
256 SHA256:IXIXEuhs2cWfFpCmA4LUhMimFsC84jkZPFC95lSj3yo example.com (ECDSA)
  • Similar format as above, but this is the ECDSA key (256-bit).
256 SHA256:MKIYbEBoOnw2B/WKnckzeMqyPIY299ZwBknfkPsR3ms example.com (ED25519)
  • This is the ED25519 key (256-bit, modern and widely used).

Method 2: Directly When Connecting

During the first-time connection to an SSH server, the server’s public key fingerprint is displayed in the confirmation prompt. This allows for verification before proceeding with the connection.

1️⃣ You Connect to the Server

$ ssh [email protected]
The authenticity of host 'example.com (93.184.216.34)' can't be established.
RSA key fingerprint is SHA256:q0WFctlFbpSL2DHEPqDjCmanxpqYQBjC9jY8Cq1J5ZA.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

🔍 What’s happening here:

See also: Mastering the Linux Command Line — Your Complete Free Training Guide

  • SSH client doesn’t have example.com in ~/.ssh/known_hosts.
  • It shows you the server’s RSA key fingerprint.
  • You must confirm that this fingerprint is legitimate before trusting the connection.

2️⃣ You Verify the Fingerprint on the Server

On the server, you run:

$ sudo ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
3072 SHA256:q0WFctlFbpSL2DHEPqDjCmanxpqYQBjC9jY8Cq1J5ZA no comment (RSA)

It matches!

  • The SHA256 fingerprint is exactly the same as what SSH showed during connection.
  • This means you are really talking to the correct server, not an attacker.

3️⃣ You Accept and Save the Key

Back on your local machine:

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'example.com,93.184.216.34' (RSA) to the list of known hosts.
  • Now example.com is stored in ~/.ssh/known_hosts.
  • Future connections won’t prompt you again — unless the server key changes.

Important Considerations

  • Always ensure the fingerprint matches the expected fingerprint of the SSH server to prevent security risks like man-in-the-middle attacks.
  • SSH servers may use different key types (RSA, ECDSA, ED25519, etc.). Check the fingerprint for the specific type of key used for the connection.

By using these methods, you can securely obtain and verify the SSH host key fingerprint, ensuring that your SSH connections are made to the correct servers.

 

2 ways to Automatically Accept an SSH Host Key in Linux

Understanding SSH known_hosts File with Examples

Understanding SSH authorized_keys file with Examples

Fix SSH timed out waiting for input: auto-logout with TMOUT and StopIdleSessionSec Configurations

David Cao
David Cao

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

Articles: 543

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *