In Linux, getting the SSH host key fingerprint is crucial for verifying the identity of an SSH server before establishing a connection. Here are the methods to retrieve the host fingerprint:
Table of Contents
Method 1: Using ssh-keygen
- Local Server: To find the fingerprint of a local SSH server’s host key, use:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub- The -l option displays the fingerprint.
- The -f option specifies the key file.
- /etc/ssh/ssh_host_rsa_key.pub is the default path for the public key file of the SSH server.
- Remote Server: For a remote SSH server’s fingerprint, combine
ssh-keygenwithssh-keyscan:ssh-keyscan hostname_or_IP | ssh-keygen -lf -- ssh-keyscan retrieves the public key of the remote server.
- The output is piped into ssh-keygen -lf – to compute and show the fingerprint.
Method 2: Directly When Connecting
During the first-time connection to an SSH server, the server’s public key fingerprint is displayed in the confirmation prompt. This allows for verification before proceeding with the connection.
Important Considerations:
- Always ensure the fingerprint matches the expected fingerprint of the SSH server to prevent security risks like man-in-the-middle attacks.
- SSH servers may use different key types (RSA, ECDSA, ED25519, etc.). Check the fingerprint for the specific type of key used for the connection.
By using these methods, you can securely obtain and verify the SSH host key fingerprint, ensuring that your SSH connections are made to the correct servers.
2 ways to Automatically Accept an SSH Host Key in Linux
Understanding SSH known_hosts File with Examples
Understanding SSH authorized_keys file with Examples
Fix SSH timed out waiting for input: auto-logout with TMOUT and StopIdleSessionSec Configurations