how is the sha fingerprint generated?

Damien Miller djm at mindrot.org
Wed Jul 1 14:03:42 AEST 2015


On Tue, 30 Jun 2015, shawn wilson wrote:

> % cat ext_rsa.pub| sed -r 's/.*(AAAA[^ ]+).*/\1/' | sha256sum
> 
>   ~/.ssh swlap1
> d4bf8b06f2d9d9af7a11583a5367205ed310a84f0dee68d062e2ddca1e85c3ff  -
>  % ssh-keygen -lf ext_rsa.pub
> 
>    ~/.ssh swlap1
> 8192 SHA256:FgrfxmdjTM/j4wwRa7nVdPSUaJdqHYMJtJ6aciPl9ug swilson at swlap1 (RSA)
> 
> Why do those differ and how would i generate the equivalent (mainly
> just curious)? I've also tried base64 and a few other substitutions at
> the end and I can't get them to match (probably would save time to
> just look at the code, but...).

it's a hash over the decoded contents of the second field of the
public key line. In python:

import base64
import hashlib
keytext=open("/tmp/r.pub").read()
keydata=keytext.split()[1]
decoded=base64.b64decode(keydata)
rawhash=hashlib.sha256(decoded).digest()
texthash=base64.b64encode(rawhash)
print texthash




More information about the openssh-unix-dev mailing list