Last active
August 14, 2022 04:06
-
-
Save StevenMaude/f054064ede8c9e781ed8 to your computer and use it in GitHub Desktop.
Generate SHA256 fingerprint from a public key
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # coding=utf-8 | |
| # sha256frompubkey.py: Displays SHA256 fingerprint of public key in Python 2/3. | |
| # Modified by Steven Maude from | |
| # https://github.com/joyent/python-manta/blob/4de7445277c0971c7ff43ef246018d055ef21d20/manta/auth.py | |
| # MIT licence. | |
| # Usage: obtain a public key using ssh-keyscan <host> > key.pub | |
| # then sha256frompubkey.py `cut -f3 -d " " key.pub` | |
| import base64 | |
| import binascii | |
| import hashlib | |
| import re | |
| import sys | |
| def sha256_fingerprint_from_pub_key(data): | |
| data = data.strip() | |
| # accept either base64 encoded data or full pub key file, | |
| # same as `fingerprint_from_ssh_pub_key | |
| if (re.search(r'^ssh-(?:rsa|dss) ', data)): | |
| data = data.split(None, 2)[1] | |
| # Python 2/3 hack. May be a better solution but this works. | |
| try: | |
| data = bytes(data, 'ascii') | |
| except TypeError: | |
| data = bytes(data) | |
| digest = hashlib.sha256(binascii.a2b_base64(data)).digest() | |
| encoded = base64.b64encode(digest).rstrip(b'=') # ssh-keygen strips this | |
| return "SHA256:" + encoded.decode('utf-8') | |
| def main(): | |
| print(sha256_fingerprint_from_pub_key(sys.argv[1])) | |
| if __name__ == '__main__': | |
| main() |
I just tested the script. It still works for me.
The primary use was for getting fingerprints from servers. The cut gets the base64 part of the file. You may need to cut a different field to get the correct part for this script, if using on a key which doesn't have a server name, for example.
I put this here, I think, at a time when the OS I was using did not show SHA256 fingerprints directly. This was probably because OpenSSH hadn't yet been updated.
The ssh-keygen command works fine too 🙂
Could well be that my key i tried with is a ed25519.pub rather than a more typical rsa.
The shell command unphased provided works perfectly.
ssh-keygen -E sha256 -l -f ~/.ssh/<key>.pub
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I found that all you need to do for getting the sha256 fingerprint shown in github (to check it against your local key) is:
This script did not work for me, it reports some binascii error.