SSH - verify used local and server key fingerprints (Windows - Linux connection verification)

In this short article, we would like to show you, how to verify used locally SSH keys with the keys stored on the Linux server using ssh-keygen under Bash.

Note: the below examples use as default SHA-256 algorithm, to change it add -E md5 or -E sha1 parameter.

Simple steps:

1. run locally on your PC (with Windows) following command:

   ssh-keygen.exe -l -f ~/.ssh/known_hosts
   
   # or:
   
   ssh-keygen.exe -l -f /c/Users/my_user_directory/.ssh/known_hosts

   Example output:

   256 SHA256:rk8GxMsKnFLTXd1VW57up4wQqqn5qbfDaIeO27ks3jv 192.168.1.70 (ED25519)
   2048 SHA256:sihm43JhFtQ+p1XTUpsQfzt2v2ViJcEwGZpDf8Pslb5 192.168.1.70 (RSA)
   256 SHA256:nwbsQERIVVgN3p2Rp+KF+SxLnECe+3bcDCsQvLwf/Ih 192.168.1.70 (ECDSA)

2. run on your server (with Linux) following commands:

   ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub
   ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
   ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

   Example outputs:

   256 SHA256:rk8GxMsKnFLTXd1VW57up4wQqqn5qbfDaIeO27ks3jv 192.168.1.70 (ED25519)
   2048 SHA256:sihm43JhFtQ+p1XTUpsQfzt2v2ViJcEwGZpDf8Pslb5 192.168.1.70 (RSA)
   256 SHA256:nwbsQERIVVgN3p2Rp+KF+SxLnECe+3bcDCsQvLwf/Ih 192.168.1.70 (ECDSA)

3. compare SHA256 fingerprints.
   If there are some differences that means some security issue and you should verify if there is no Man-in-the-middle attack used.

See also

1. Bash - print fingerprints for SSHD keys (md5, sha-1, sha-A256 fingerprints)

References

• Man-in-the-middle attack - Wikipedia