Feature request: simple command to display active SSH host key fingerprints

Robert Reder r.reder at gmx.at
Mon Jul 6 18:51:48 AEST 2026


sshd -T | awk '/^hostkey / {print $2}' | while read a; do ssh-keygen -l 
-f "$a"; done

Yes, somethinkg like a command with awk could help, but it should be 
simplified. Not everybody who uses SSH for save connetions is able to 
use awk scripting. As I mentioned it should be as simple as possible. 
Because otherwise ssh is not as easy and save as it should be. (From my 
point of view.)

BR Robert

Am 06.07.26 um 08:51 schrieb Brian Candler:
 > On 06/07/2026 07:17, Robert Reder via openssh-unix-dev wrote:
 >> Would it be possible to provide a built-in command such as:
 >>
 >> sshd --show-fingerprints
 >>
 >> or similar, which would display all active host key fingerprints 
used by the running sshd configuration?
 >>
 >> Example output:
 >>
 >> ED25519 SHA256:...
 >> ECDSA SHA256:...
 >> RSA SHA256:...
 >
 > Something like this?
 >
 > sshd -T | awk '/^hostkey / {print $2}' | while read a; do ssh-keygen 
-l -f "$a"; done

Am 06.07.26 um 08:17 schrieb Robert Reder:
> Hello,
> 
> I would like to suggest a small usability improvement for OpenSSH.
> 
> When users want to verify a server's host key fingerprint, they 
> currently need to know which host key type is being used (ED25519, 
> ECDSA, RSA, etc.) and manually inspect the corresponding files, often 
> using commands such as:
> 
> ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub
> 
> or shell loops over multiple host key files.
> 
> In practice, this can be confusing, especially because SSH clients may 
> present a fingerprint for a different host key type than the one the 
> administrator checks first.
> 
> Would it be possible to provide a built-in command such as:
> 
> sshd --show-fingerprints
> 
> or similar, which would display all active host key fingerprints used by 
> the running sshd configuration?
> 
> Example output:
> 
> ED25519 SHA256:...
> ECDSA SHA256:...
> RSA SHA256:...
> 
> This would make host key verification easier, reduce user confusion, and 
> encourage more administrators to actually verify host fingerprints 
> instead of accepting them blindly.
> 
> Thank you for considering the idea.
> 
> Best regards
> Robert Reder
> 



More information about the openssh-unix-dev mailing list