How to Generate, Truncate, and Verify Your SSH Key's Unique Identifier
Introduction
SSH keys are the backbone of secure authentication for servers, Git platforms, and DevOps workflows1. But how do you verify that a key is genuine? Enter fingerprints – cryptographic hashes that act as unique identifiers for your keys.
In this post, you'll learn:
- How to generate fingerprints for RSA and Ed25519 keys
- Why truncating fingerprints is useful (but risky)2
- How to mimic "memory address" hex codes from fingerprints
What's a Fingerprint? 👆
A fingerprint is a hash (like SHA256) of your public key. It's a shorter, readable string that uniquely identifies your key3. For example:
SHA256:zB6WvZt ... user@host (ED25519)
Even a tiny change in the key produces a completely different fingerprint due to the avalanche effect in cryptographic hashing4.
Generating Fingerprints 🛠️
For Ed25519 Keys
Ed25519 is a modern, secure key algorithm (RFC 80325). To get its fingerprint:
ssh-keygen -l -f ~/.ssh/id_ed25519.pub
# Output example:
# 256 SHA256:zB6WvZt... user@host (ED25519)
For RSA Keys
RSA is older but still widely used (RFC 8017). Command:
ssh-keygen -l -f ~/.ssh/id_rsa.pub
# Output example:
# 3072 SHA256:qR2sYtX... user@host (RSA)
Truncating Fingerprints
Need a shorter identifier? Here's how to truncate SHA256 to mimic a "memory address":
Ed25519 Example
ssh-keygen -l -f ~/.ssh/id_ed25519.pub | awk '{split($2,a,":"); print a[2]}' | base64 -d | head -c 8 | xxd -p | sed 's/^/0x/'
# Output: 0x1a2b3c4d5e6f7a8b
RSA Example
ssh-keygen -l -f ~/.ssh/id_rsa.pub | awk '{split($2,a,":"); print a[2]}' | base64 -d | head -c 8 | xxd -p | sed 's/^/0x/'
# Output: 0x9f8e7d6c5b4a3c2d
How this works:
base64 -ddecodes the SHA256 stringhead -c 8truncates to the first 8 bytes (64 bits)xxd -pconverts bytes to hexsedadds the 0x prefix
Legacy MD5 Fingerprints (Use with Caution!) ⚠️
MD5 is shorter but insecure due to collision vulnerabilities. Generate it with:
# Ed25519:
ssh-keygen -l -E md5 -f ~/.ssh/id_ed25519.pub
# RSA:
ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub
Example output:
256 MD5:12:34:56:78:90:ab:cd:ef user@host (ED25519)
When to Use Fingerprints 🎯
- Verifying Servers: Compare a server's fingerprint to your known-good copy:
ssh-keyscan example.com | ssh-keygen -l -f -
- Git Platforms: GitHub/GitLab show fingerprints when adding a key
- Debugging: Short hex codes (0x1a2b...) help tag keys in logs
Key Takeaways 💡
| Scenario | Command | Security Level |
|---|---|---|
| Default SHA256 | ssh-keygen -l -f ~/.ssh/id_ed25519.pub | ✅ High (Recommended) |
| Truncated "Memory Address" | Custom pipeline (see above) | ⚠️ Low (For display) |
| Legacy MD5 | ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub | ❌ Avoid (Insecure) |
Conclusion 🎉
Fingerprints turn cryptographic keys into human-friendly identifiers. While truncating them is handy for readability, always use the full SHA256 for security-critical tasks.
Ed25519 keys are the future (thanks to their smaller size and security), but RSA remains relevant for legacy systems. Whichever you use, fingerprints ensure you're connecting to the right machine – not an impostor!
FAQ ❓
Q: Are truncated fingerprints unique?
A: In practice, yes – but shorter hashes increase collision risk.
Q: Why does Ed25519 use SHA256?
A: OpenSSH defaults to SHA256 for fingerprints, regardless of key type.
Q: Is MD5 ever safe?
A: No. Use it only for debugging, never for verification.
For more information on SSH key authentication, see the OpenSSH documentation.
Wang, X., & Yu, H. (2005). "How to Break MD5 and Other Hash Functions". Eurocrypt 2005.
NIST Special Publication 800-57 Part 1 Revision 5. Recommendation for Key Management.
RFC 4270. Attacks on Cryptographic Hashes in Internet Protocols.
RFC 8032. Edwards-Curve Digital Signature Algorithm (EdDSA).