How to generate SSH Key Fingerprint in Linux?

A popular protocol for safe remote access to servers and other systems is called Secure Shell (SSH). The SSH key fingerprint is one of the essential elements of SSH authentication. We will discuss the definition of an SSH key fingerprint, its creation process, its significance for SSH authentication, and security and verification issues in this article.

SSH key pairs consist of a private key and a public key. The private key is kept securely on your local machine, while the public key is shared with remote servers or services you want to connect to securely. Generating a strong SSH key pair is crucial for ensuring the security of your remote connections. By generating an SSH key pair and extracting its fingerprint(s), you can securely authenticate and establish encrypted communication channels with remote systems. The fingerprint serves as a unique identifier for the public key, allowing you to verify its integrity and ensure that you are connecting to the intended server or service.

This method is particularly useful in scenarios where you need to securely connect to remote servers, transfer files, or manage remote systems over an insecure network. The SSH key pair and its fingerprint(s) provide a robust mechanism for authentication and encryption, ensuring that your connections are secure and protected against potential eavesdropping or man-in-the-middle attacks

Step 1 : Generate SSH key pair (RSA algorithm, 2048-bit key length)

ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa

Output:

The command-line tool for creating SSH keys is called ssh-keygen.

• ssh-keygen:To create SSH key pairs, use this command. A public key and a private key make up key pairs. For authentication purposes, the private key is stored locally on your system, and the public key is stored on distant computers.It facilitates the generation, conversion, and management of SSH key pairs, crucial for secure authentication and communication in SSH protocol-based systems.
• -t rsa: Indicates the kind of key to be generated; RSA is the example.
• -b 2048: Indicates how many bits are in the key. We are creating a 2048-bit key with this command, which is generally regarded as secure.
• -f ~/.ssh/id_rsa: Indicates the key pair’s filename. You can save the public key as ~/.ssh/id_rsa.pub and the private key as ~/.ssh/id_rsa.pub.

Step 2 : Extract fingerprint using MD5 hash algorithm

ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub

Output:

A fingerprint is a distinct identity derived from a public key’s contents. It is employed to confirm the key’s integrity and authenticity

Message Digest Algorithm 5, or MD5, is a popular cryptographic hash algorithm. It generates a 32-character hexadecimal number that is a 128-bit hash value.

• -l : This command can be used to print the fingerprint of the specified public key file.
• -E md5 : Specifies the hash algorithm to use for fingerprint calculation, in this case it is MD5. MD5 is one of the available hash algorithms for SSH key fingerprints.
• -f ~/.ssh/id_rsa.pub : Specifies the filename of the public key file for which to generate the fingerprint.

Step 3 : Extract fingerprint using SHA-256 hash algorithm:

ssh-keygen -l -E sha256 -f ~/.ssh/id_rsa.pub

Output:

• -l: Ssh-keygen is instructed to display the fingerprint of the designated public key file when the -l option is used.By obtaining the fingerprint, we want to get a distinct identity generated from the public key’s contents, verifying its legitimacy and reliability.
• -E sha256: Specifies the hash algorithm to use for fingerprint calculation, in this case, SHA-256. SHA-256 is another available hash algorithm for SSH key fingerprints. The Secure Hash Algorithm 256-bit, or SHA-256, is a well-known cryptographic hash function that is resistant to attacks using cryptography. SHA-256 is a more safe and dependable fingerprint generator than less secure hash algorithms such as MD5.
• -f ~/.ssh/id_rsa.pub: We can specify the filename of the public key file for which the fingerprint will be computed by using the -f option.The file location of the public key file linked to the SSH key pair in this instance is ~/.ssh/id_rsa.pub.The public key produced by ssh-keygen is often stored in this filepath, where ~ stands for the user’s home directory.

openssl genpkey: A command-line program called openssl genpkey is offered by OpenSSL, a flexible cryptographic library that is frequently used for encrypted data and secure communication. It makes it possible to generate private keys, which are essential parts of RSA and other asymmetric cryptography systems.

Step 1 : One popular cryptographic library that may be used to create SSH key fingerprints is OpenSSL. These procedures can be used to generate an SSH key pair and associated fingerprint using OpenSSL.

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

• -algorithm RSA: The algorithm The cryptographic algorithm to be used for key generation is specified via the RSA option.Renowned for its security and effectiveness, RSA (Rivest-Shamir-Adleman) is a public-key cryptosystem that is extensively utilized.To maintain data integrity and safe transmission, asymmetric encryption techniques like RSA rely on the mathematical characteristics of big prime numbers.
• -out private_key.pem: The generated private key’s filename is specified by the -out option.The filepath where the generated private key will be placed in this instance is represented by private_key.pem.The Privacy Enhanced Mail (PEM) format, which is commonly used to store cryptographic artifacts like keys and certificates, is indicated by the.pem extension.
• -pkeyopt rsa_keygen_bits:2048: Additional parameters can be specified during key generation by using the -pkeyopt option.The number of bits in the RSA key that has to be produced is specified by rsa_keygen_bits:2048.The key length is indicated by the parameter rsa_keygen_bits; a standard recommendation for secure RSA keys is 2048 bits.Because a longer key length makes it more difficult to factor the key’s components, it often offers better protection against brute-force assaults.

openssl rsa -pubout -in private_key.pem -out public_key.pub

Step 2 : Extract the public key from the key pair and generate its fingerprint:

ssh-keygen -lf public_key.pub

Your intended filenames for your public and private keys should be replaced by public_key.pub and private_key.pem, accordingly. This technique combines the usage of the ssh-keygen command to extract the fingerprint of the public key with the use of OpenSSL to produce the key pair.

Why is it necessary to generate SSH key pairs?

Systems can securely authenticate with each other using SSH key pairs. By employing cryptographic keys for authentication, they offer a more secure option to password-based authentication, lowering the possibility of password-related security problems like brute-force attacks.

How do I know which key length to choose when generating SSH keys?

For SSH keys, a key length of 2048 bits or more is advised. Stronger security is offered by larger key lengths, but key generation and authentication may need more processing power. Based on your systems’ capabilities and security requirements, determine the length of the key.

What is the purpose of extracting the fingerprint of an SSH public key?

An SSH public key’s fingerprint acts as a special key identifier. When establishing a connection to SSH servers, it is utilized to confirm the legitimacy of the key. Users can verify they are connecting to the legitimate server and not a malevolent imposter by comparing the fingerprint provided by the server with a known or expected value.

How do I use the extracted SSH key fingerprint for server authentication?

The legitimacy of the server’s public key can be confirmed by comparing the retrieved SSH key fingerprint to a reliable source. The fingerprint can be manually validated by the user with the server administrator, or it can be compared to a known fingerprint that is kept in a reliable database or set of instructions.

Can I regenerate or change the SSH key pair if needed?

It is possible to regenerate or modify SSH key pairs as needed. To guarantee continuous access to SSH services, it’s crucial to handle and distribute the fresh keys securely. To prevent authentication errors, it might also be necessary to update any open SSH sessions or connections with the new keys.

In conclusion, keeping safe communication over SSH requires a grasp of the processes involved in creating SSH key pairs and extracting fingerprints. Compared to password-based authentication, SSH key pairs offer a reliable means of authentication and lower the possibility of unwanted access. Users can strengthen the security of their systems and guard against bad actors by creating SSH keys with the right key lengths and safely managing the key pairs.