changeset 2538:1f827ee55f7c default tip

list fingerprints of the server pub keys
author Oleksandr Gavenko <>
date Sun, 03 Jul 2022 12:49:17 +0300
parents a222347b6993
files ssh.rst
diffstat 1 files changed, 27 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/ssh.rst	Fri Jun 17 21:48:15 2022 +0300
+++ b/ssh.rst	Sun Jul 03 12:49:17 2022 +0300
@@ -36,6 +36,7 @@
 Show fingerprint::
   ssh-keygen -l -f ~/.ssh/id_dsa
+  ssh-keygen -E md5 -l -f ~/.ssh/id_dsa
 Change passphrase of priv key::
@@ -52,8 +53,30 @@
   $ ssh-copy-id  $user@$host         # alternative to previous command
-To remove ``known_hosts`` key (usually need if you change server pubkey or
-change server)::
+Dealing with server pubkeys
+Each SSH server keeps a single priv key, sharing a common pub key with all clients. It is an
+identity of the server and upon a new connection you are asked to trust this pub key. After
+accepting the pub key it is written to ``~/.ssh/known_hosts``.
+To list advertized pub keys by a server (``-H`` is host hashing/hiding host name)::
+  ssh-keyscan $HOST
+  ssh-keyscan -H $HOST
+To list fingerprints of the server pub keys::
+  ssh-keygen -lf <(ssh-keyscan $HOST 2>/dev/null)
+To ensure MD5 output format (which is usually displayed with vast majority of existing SSH
+  ssh-keygen -E md5 -lf <(ssh-keyscan $HOST 2>/dev/null)
+To remove ``known_hosts`` key (it is usually needed if you change a server pubkey or change a
   $ ssh-keygen -R hostname
   $ ssh-keygen -R hostname -f ~/.ssh/known_hosts
@@ -64,8 +87,8 @@
   ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host
-Shell login.
+Shell login
   $ ssh $user@$host