Feature request: simple command to display active SSH host key fingerprints

Damien Miller djm at mindrot.org
Mon Jul 6 22:20:39 AEST 2026



On Mon, 6 Jul 2026, Robert Reder via openssh-unix-dev wrote:

> Hello,
> 
> I would like to suggest a small usability improvement for OpenSSH.
> 
> When users want to verify a server's host key fingerprint, they currently need
> to know which host key type is being used (ED25519, ECDSA, RSA, etc.) and
> manually inspect the corresponding files, often using commands such as:
> 
> ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub
> 
> or shell loops over multiple host key files.

cat /etc/ssh/ssh_host_*_key.pub | ssh-keygen -lf -

or

ssh-keyscan server.example.org | ssh-keygen -lf -

> In practice, this can be confusing, especially because SSH clients may present
> a fingerprint for a different host key type than the one the administrator
> checks first.

Selection of host key algorithms is controlled by the client, based on
the HostkeyAlgorithms and which keys have already been learned for the
server. There's no canonical ordering from the server that matters.



More information about the openssh-unix-dev mailing list