mttjohnson · February 1, 2023 05:49
diff --git a/validate_ssh_key.sh b/validate_ssh_key.sh
 # When you SSH into a server for the first time it prompts you if you trust the remote server's host key
 # To validate that they key you received is the same as the server you just logged into you can check 
 # the fingerprint of the host key on the remote server itself.

 # Output fingerprint of system's host key
 ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

 # You can fingerprint both the private and public key from a file
 # They should both produce the same fingerprint value.
 ssh-keygen -l -f ~/.ssh/id_ed25519.pub
 ssh-keygen -l -f ~/.ssh/id_ed25519

 # Digital Ocean lists ssh key fingerprints in MD5 format
 ssh-keygen -l -f ~/.ssh/id_ed25519.pub -E md5

 # You can specify the fingerprint format type to be explicitly SHA256 if needed
 # The SHA256 output from ssh-keygen is Base64 encoded.
 ssh-keygen -l -f ~/.ssh/id_ed25519.pub -E sha256

 # You can also do this from a piped string if you don't have the contents in a file:
 echo "XXXXXXXXXXX_PUBLIC_KEY_CONTENTS_HERE_XXXXXXXXXXX" | ssh-keygen -l -f /dev/stdin

 # To check and see if a private key is encrypted you can generate the public key from the private
 # If it prompts for a password the private key is encrypted, otherwise it is not.
 ssh-keygen -y -f ~/.ssh/id_ed25519

 # You can also do this from a variable if you don't have the contents in a file:
 PRIVATE_KEY="XXXXXXXXXXX_PUBLIC_KEY_CONTENTS_HERE_XXXXXXXXXXX"
 ssh-keygen -y -f /dev/stdin <<< "${PRIVATE_KEY}"

 # During ssh login you can use the -v option to display additional debug 
 # information and see the fingerprint of keys being used to authenticate
 ssh user@host -v

 # On CentOS/RedHat servers there is an audit log that will list keys being used in authentiction of SSH connections
 # The key fingerprint format in this log file tends to bein Hex Octets rather than Base64 encoded, so some conversion
 # would be required to match a key fingerprint with the ones listed in the log file.
 cat /var/log/audit/audit.log
	# When you SSH into a server for the first time it prompts you if you trust the remote server's host key
	# To validate that they key you received is the same as the server you just logged into you can check
	# the fingerprint of the host key on the remote server itself.

	# Output fingerprint of system's host key
	ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

	# You can fingerprint both the private and public key from a file
	# They should both produce the same fingerprint value.
	ssh-keygen -l -f ~/.ssh/id_ed25519.pub
	ssh-keygen -l -f ~/.ssh/id_ed25519

	# Digital Ocean lists ssh key fingerprints in MD5 format
	ssh-keygen -l -f ~/.ssh/id_ed25519.pub -E md5

	# You can specify the fingerprint format type to be explicitly SHA256 if needed
	# The SHA256 output from ssh-keygen is Base64 encoded.
	ssh-keygen -l -f ~/.ssh/id_ed25519.pub -E sha256

	# You can also do this from a piped string if you don't have the contents in a file:
	echo "XXXXXXXXXXX_PUBLIC_KEY_CONTENTS_HERE_XXXXXXXXXXX" \| ssh-keygen -l -f /dev/stdin

	# To check and see if a private key is encrypted you can generate the public key from the private
	# If it prompts for a password the private key is encrypted, otherwise it is not.
	ssh-keygen -y -f ~/.ssh/id_ed25519

	# You can also do this from a variable if you don't have the contents in a file:
	PRIVATE_KEY="XXXXXXXXXXX_PUBLIC_KEY_CONTENTS_HERE_XXXXXXXXXXX"
	ssh-keygen -y -f /dev/stdin <<< "${PRIVATE_KEY}"

	# During ssh login you can use the -v option to display additional debug
	# information and see the fingerprint of keys being used to authenticate
	ssh user@host -v

	# On CentOS/RedHat servers there is an audit log that will list keys being used in authentiction of SSH connections
	# The key fingerprint format in this log file tends to bein Hex Octets rather than Base64 encoded, so some conversion
	# would be required to match a key fingerprint with the ones listed in the log file.
	cat /var/log/audit/audit.log