--- a/ssh.rst	Fri Jun 17 21:48:15 2022 +0300
+++ b/ssh.rst	Sun Jul 03 12:49:17 2022 +0300
@@ -36,6 +36,7 @@
 Show fingerprint::
 
   ssh-keygen -l -f ~/.ssh/id_dsa
+  ssh-keygen -E md5 -l -f ~/.ssh/id_dsa
 
 Change passphrase of priv key::
 
@@ -52,8 +53,30 @@
 
   $ ssh-copy-id  $user@$host         # alternative to previous command
 
-To remove ``known_hosts`` key (usually need if you change server pubkey or
-change server)::
+
+Dealing with server pubkeys
+===========================
+
+Each SSH server keeps a single priv key, sharing a common pub key with all clients. It is an
+identity of the server and upon a new connection you are asked to trust this pub key. After
+accepting the pub key it is written to ``~/.ssh/known_hosts``.
+
+To list advertized pub keys by a server (``-H`` is host hashing/hiding host name)::
+
+  ssh-keyscan $HOST
+  ssh-keyscan -H $HOST
+
+To list fingerprints of the server pub keys::
+
+  ssh-keygen -lf <(ssh-keyscan $HOST 2>/dev/null)
+
+To ensure MD5 output format (which is usually displayed with vast majority of existing SSH
+clients)::
+
+  ssh-keygen -E md5 -lf <(ssh-keyscan $HOST 2>/dev/null)
+
+To remove ``known_hosts`` key (it is usually needed if you change a server pubkey or change a
+server)::
 
   $ ssh-keygen -R hostname
   $ ssh-keygen -R hostname -f ~/.ssh/known_hosts
@@ -64,8 +87,8 @@
 
   ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host
 
-Shell login.
-============
+Shell login
+===========
 ::
 
   $ ssh $user@$host