Feature request: simple command to display active SSH host key fingerprints
Robert Reder
r.reder at gmx.at
Mon Jul 6 16:17:52 AEST 2026
Hello,
I would like to suggest a small usability improvement for OpenSSH.
When users want to verify a server's host key fingerprint, they
currently need to know which host key type is being used (ED25519,
ECDSA, RSA, etc.) and manually inspect the corresponding files, often
using commands such as:
ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub
or shell loops over multiple host key files.
In practice, this can be confusing, especially because SSH clients may
present a fingerprint for a different host key type than the one the
administrator checks first.
Would it be possible to provide a built-in command such as:
sshd --show-fingerprints
or similar, which would display all active host key fingerprints used by
the running sshd configuration?
Example output:
ED25519 SHA256:...
ECDSA SHA256:...
RSA SHA256:...
This would make host key verification easier, reduce user confusion, and
encourage more administrators to actually verify host fingerprints
instead of accepting them blindly.
Thank you for considering the idea.
Best regards
Robert Reder
More information about the openssh-unix-dev
mailing list