Feature request: simple command to display active SSH host key fingerprints

Robert Reder r.reder at gmx.at
Mon Jul 6 16:17:52 AEST 2026


Hello,

I would like to suggest a small usability improvement for OpenSSH.

When users want to verify a server's host key fingerprint, they 
currently need to know which host key type is being used (ED25519, 
ECDSA, RSA, etc.) and manually inspect the corresponding files, often 
using commands such as:

ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub

or shell loops over multiple host key files.

In practice, this can be confusing, especially because SSH clients may 
present a fingerprint for a different host key type than the one the 
administrator checks first.

Would it be possible to provide a built-in command such as:

sshd --show-fingerprints

or similar, which would display all active host key fingerprints used by 
the running sshd configuration?

Example output:

ED25519 SHA256:...
ECDSA SHA256:...
RSA SHA256:...

This would make host key verification easier, reduce user confusion, and 
encourage more administrators to actually verify host fingerprints 
instead of accepting them blindly.

Thank you for considering the idea.

Best regards
Robert Reder



More information about the openssh-unix-dev mailing list