You really don't need openssl for that.
And the fingerprints are simple.
Here is a python script that do the same as ssh-keygen
-fl /path/to/key :
#!/usr/bin/env python3
import binascii
import hashlib
import sys
if __name__ == "__main__":
key = binascii.a2b_base64(sys.argv[1])
if sys.argv[2] == "md5":
m = hashlib.new("md5")
m.update(key)
print(m.hexdigest())
elif sys.argv[2] == "sha256":
m = hashlib.new("sha256")
m.update(key)
print(binascii.b2a_base64(m.digest()).decode("utf8")[0:-1])
Do use it in production, do some test, but the general idea is there.
Cheers,
On Tue, 30 Jun 2015 16:12:03 +0200
Johannes L?thberg <johannes at kyriasis.com> wrote:
> On 30/06, Johannes L?thberg wrote:
> >On 30/06, shawn wilson wrote:
> >>% cat ext_rsa.pub| sed -r 's/.*(AAAA[^ ]+).*/\1/' |
sha256sum
> >>
> >> ~/.ssh swlap1
> >>d4bf8b06f2d9d9af7a11583a5367205ed310a84f0dee68d062e2ddca1e85c3ff -
> >>% ssh-keygen -lf ext_rsa.pub
> >>
> >> ~/.ssh swlap1
> >>8192 SHA256:FgrfxmdjTM/j4wwRa7nVdPSUaJdqHYMJtJ6aciPl9ug swilson at
swlap1 (RSA)
> >>
> >>Why do those differ and how would i generate the equivalent (mainly
> >>just curious)? I've also tried base64 and a few other
substitutions at
> >>the end and I can't get them to match (probably would save time
to
> >>just look at the code, but...).
> >
> >It's not simply a checksum of the key file. You need to extract the
> >exponent and prime from the public key, then append those to a
> >specific string of bits, then get a SHA256 digest of that, and then
> >base64 encode that.
> >
> >https://github.com/kyrias/bin/blob/master/ssh-gen-fprint has an
> >example implementation of `ssh-keygen -lf` in Ruby.
> >
>
> Oh, and support for ECC keys aren't implemented because OpenSSL
doesn't
> support it yet. :/
>
> --
> Sincerely,
> Johannes L?thberg
> PGP Key ID: 0x50FB9B273A9D0BB5
> https://theos.kyriasis.com/~kyrias/
--
Emmanuel Vadot <elbarto at bocal.org>
On 30/06, Emmanuel Vadot wrote:> > You really don't need openssl for that. > > And the fingerprints are simple. > Here is a python script that do the same as ssh-keygen >-fl /path/to/key : > >#!/usr/bin/env python3 > >import binascii >import hashlib >import sys > >if __name__ == "__main__": > key = binascii.a2b_base64(sys.argv[1]) > if sys.argv[2] == "md5": > m = hashlib.new("md5") > m.update(key) > print(m.hexdigest()) > elif sys.argv[2] == "sha256": > m = hashlib.new("sha256") > m.update(key) > print(binascii.b2a_base64(m.digest()).decode("utf8")[0:-1]) > > Do use it in production, do some test, but the general idea is there. >That doesn't actually work for either RSA nor Ed25519 keys? Example: https://theos.kyriasis.com/~kyrias/s/mX8U0VzI5w.png -- Sincerely, Johannes L?thberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1495 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150630/3bb1ffed/attachment.bin>
It does works with rsa, ecdsa and ed25519. For ed25519 you may need to remove the extra = (base64 padding byte) at the end of the sum. And I've been lying when I said it does the same as ssh-keygen -fl, the first argument must be the public key not the path. On Tue, 30 Jun 2015 18:43:36 +0200 Johannes L?thberg <johannes at kyriasis.com> wrote:> On 30/06, Emmanuel Vadot wrote: > > > > You really don't need openssl for that. > > > > And the fingerprints are simple. > > Here is a python script that do the same as ssh-keygen > >-fl /path/to/key : > > > >#!/usr/bin/env python3 > > > >import binascii > >import hashlib > >import sys > > > >if __name__ == "__main__": > > key = binascii.a2b_base64(sys.argv[1]) > > if sys.argv[2] == "md5": > > m = hashlib.new("md5") > > m.update(key) > > print(m.hexdigest()) > > elif sys.argv[2] == "sha256": > > m = hashlib.new("sha256") > > m.update(key) > > print(binascii.b2a_base64(m.digest()).decode("utf8")[0:-1]) > > > > Do use it in production, do some test, but the general idea is there. > > > > That doesn't actually work for either RSA nor Ed25519 keys? > > Example: https://theos.kyriasis.com/~kyrias/s/mX8U0VzI5w.png > > -- > Sincerely, > Johannes L?thberg > PGP Key ID: 0x50FB9B273A9D0BB5 > https://theos.kyriasis.com/~kyrias/-- Emmanuel Vadot <elbarto at bocal.org>