Hello everyone, we had the pubkey file of an SSH keypair damaged during the transfer to the target system today, and a part of the resulting confusion resulted from the fact that when you ask ssh-keygen to fingerprint the *priv*key, the output may actually represent the *pub*key file's content instead. Reproduced on another machine: $ ssh-keygen -t rsa -b 2048 -C foo -f orig $ cp orig priv $ ssh-keygen -l -f priv 2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA) (No pubkey file -> data from the privkey.) $ sed -e 's/$/-bar/' orig.pub > priv.pub $ ssh-keygen -l -f priv 2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo-bar (RSA) (*Changed* comment from the pubkey file.) $ sed -e 's/$/-bar/' -e 's/^s//' orig.pub > priv.pub $ ssh-keygen -l -f priv 2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA) (*Broken* pubkey -> data from the privkey.) $ sed -e 's/$/-bar/' -e 's/0/1/' orig.pub > priv.pub $ ssh-keygen -l -f priv 2048 SHA256:SYhgtUsy0c0zEj4avKjiiqd+FyTXQeA+Tzq9wIafnhU foo-bar (RSA) (Pubkey with *some* flipped bits -> still gets accepted -> fingerprint and comment from the pubkey file.) $ sed -e 's/$/-bar/' -e 's/[1-9]/0/g' orig.pub > priv.pub $ ssh-keygen -l -f priv 2048 SHA256:H6C194FiLbvQWXhhGbHcEeJrCPrIk2uI0cEs5fEHiy8 foo (RSA) (Pubkey with *major* modifications -> apparently found not to match the privkey -> data from the privkey.) $ ssh -V OpenSSH_8.7p1, OpenSSL 1.1.1n FIPS 15 Mar 2022 ... is this behavior intentional? Thanks in advance, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220525/f7fbe11e/attachment.p7s>