how is the sha fingerprint generated?

Emmanuel Vadot elbarto at bocal.org
Wed Jul 1 00:41:43 AEST 2015


 You really don't need openssl for that.

 And the fingerprints are simple.
 Here is a python script that do the same as ssh-keygen
-fl /path/to/key :

#!/usr/bin/env python3

import binascii
import hashlib
import sys

if __name__ == "__main__":
    key = binascii.a2b_base64(sys.argv[1])
    if sys.argv[2] == "md5":
        m = hashlib.new("md5")
        m.update(key)
        print(m.hexdigest())
    elif sys.argv[2] == "sha256":
        m = hashlib.new("sha256")
        m.update(key)
        print(binascii.b2a_base64(m.digest()).decode("utf8")[0:-1])

 Do use it in production, do some test, but the general idea is there.

 Cheers,

On Tue, 30 Jun 2015 16:12:03 +0200
Johannes Löthberg <johannes at kyriasis.com> wrote:

> On 30/06, Johannes Löthberg wrote:
> >On 30/06, shawn wilson wrote:
> >>% cat ext_rsa.pub| sed -r 's/.*(AAAA[^ ]+).*/\1/' | sha256sum
> >>
> >> ~/.ssh swlap1
> >>d4bf8b06f2d9d9af7a11583a5367205ed310a84f0dee68d062e2ddca1e85c3ff  -
> >>% ssh-keygen -lf ext_rsa.pub
> >>
> >>  ~/.ssh swlap1
> >>8192 SHA256:FgrfxmdjTM/j4wwRa7nVdPSUaJdqHYMJtJ6aciPl9ug swilson at swlap1 (RSA)
> >>
> >>Why do those differ and how would i generate the equivalent (mainly
> >>just curious)? I've also tried base64 and a few other substitutions at
> >>the end and I can't get them to match (probably would save time to
> >>just look at the code, but...).
> >
> >It's not simply a checksum of the key file. You need to extract the 
> >exponent and prime from the public key, then append those to a 
> >specific string of bits, then get a SHA256 digest of that, and then 
> >base64 encode that.
> >
> >https://github.com/kyrias/bin/blob/master/ssh-gen-fprint has an 
> >example implementation of `ssh-keygen -lf` in Ruby.
> >
> 
> Oh, and support for ECC keys aren't implemented because OpenSSL doesn't 
> support it yet. :/
> 
> -- 
> Sincerely,
>   Johannes Löthberg
>   PGP Key ID: 0x50FB9B273A9D0BB5
>   https://theos.kyriasis.com/~kyrias/


-- 
Emmanuel Vadot <elbarto at bocal.org>


More information about the openssh-unix-dev mailing list