91

My laptop has a well-populated ~/.ssh/known_hosts file. I'd like to leverage that when connecting to remote hosts from my desktop, since tracking down the fingerprints can be a real chore. However, I can't seem to find a way to ask ssh-keygen or ssh-keyscan to tell me the locally-known fingerprint for known hosts. Any ideas?

Sirex
  • 11,060
Tim has moved to Codidact
  • 1,013

1 Answers1

120

Try this command:

% ssh-keygen -l -f ~/.ssh/known_hosts

2048 c2:e7:c0:9f:cd:c8:54:88:ac:b3:6b:a6:51:73:2b:e3 mach1,192.168.1.3 (RSA)
2048 a2:5e:8c:4e:2e:be:be:eb:23:12:5e:fe:6c:4b:23:dd mach2,192.168.1.1 (RSA)
1024 ae:5f:bc:e3:33:c3:dd:45:1e:18:1a:46:d1:d6:d2:39 mach3,192.168.1.6 (RSA)
...
...

just want a single host:

% ssh-keygen -l -f ~/.ssh/known_hosts -F mach1
2048 c2:e7:c0:9f:cd:c8:54:88:ac:b3:6b:a6:51:73:2b:e3 mach1 (RSA)

Resources

http://www.gossamer-threads.com/lists/openssh/users/49503

slm
  • 10,249
  • 9
    Thanks! I didn't know you could use -l with a known_hosts file.

    Here's a version that even better addresses my question: ssh-keygen -l -f ~/.ssh/known_hosts -F example.com

     – Tim has moved to Codidact Jan 21 '13 at 02:10
  • Glad it helped. 2 heads are better than one 8-). – slm Jan 21 '13 at 02:14
  • 5
    Incidentally, the reason -F is important for me is that whatever version of SSH I have installed has hashed all the hostnames in the known_hosts file. I can't just grep for the line I want. (This is a useful security measure if someone ever gets my private key -- they're less likely to figure out what machines it can get them into.) – Tim has moved to Codidact Jan 24 '13 at 23:05
  • 15
    It is worth noting that recent versions of openssh default to a SHA256 hash. To get the older md5 hash, use the -E md5 option. – a172 Sep 08 '15 at 15:08
  • 4
    And if a non-standard port is used: [example.com]:1234 – Tim has moved to Codidact May 07 '16 at 21:04
  • 1
    Another +1. This is something I've been looking for "how do you check fingerprint of a remote ssh server on the client machine"..... or "how does ssh client know the remote server's fingerprint has changed" – CppLearner Nov 28 '17 at 19:14
  • 4
    To get host key fingerprints for an SSH server (replace example IP with your server's IP or hostname): ssh-keyscan 123.123.12.34 | ssh-keygen -l -f - – TrinitronX Feb 14 '18 at 01:24