how is the sha fingerprint generated?

Johannes Löthberg johannes at kyriasis.com
Wed Jul 1 00:12:03 AEST 2015


On 30/06, Johannes Löthberg wrote:
>On 30/06, shawn wilson wrote:
>>% cat ext_rsa.pub| sed -r 's/.*(AAAA[^ ]+).*/\1/' | sha256sum
>>
>> ~/.ssh swlap1
>>d4bf8b06f2d9d9af7a11583a5367205ed310a84f0dee68d062e2ddca1e85c3ff  -
>>% ssh-keygen -lf ext_rsa.pub
>>
>>  ~/.ssh swlap1
>>8192 SHA256:FgrfxmdjTM/j4wwRa7nVdPSUaJdqHYMJtJ6aciPl9ug swilson at swlap1 (RSA)
>>
>>Why do those differ and how would i generate the equivalent (mainly
>>just curious)? I've also tried base64 and a few other substitutions at
>>the end and I can't get them to match (probably would save time to
>>just look at the code, but...).
>
>It's not simply a checksum of the key file. You need to extract the 
>exponent and prime from the public key, then append those to a 
>specific string of bits, then get a SHA256 digest of that, and then 
>base64 encode that.
>
>https://github.com/kyrias/bin/blob/master/ssh-gen-fprint has an 
>example implementation of `ssh-keygen -lf` in Ruby.
>

Oh, and support for ECC keys aren't implemented because OpenSSL doesn't 
support it yet. :/

-- 
Sincerely,
  Johannes Löthberg
  PGP Key ID: 0x50FB9B273A9D0BB5
  https://theos.kyriasis.com/~kyrias/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1495 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150630/2b68c258/attachment.bin>


More information about the openssh-unix-dev mailing list