When managing multiple SSH keys in ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2, developers often need to verify all fingerprints for security audits or key rotation. The basic ssh-keygen -l -f command only processes the first entry, leaving many scrambling for solutions.
Modern OpenSSH versions include built-in support:
ssh-keygen -lf ~/.ssh/authorized_keysFor ECDSA/Ed25519 keys:
ssh-keygen -E sha256 -lf ~/.ssh/authorized_keysFor systems without the latest OpenSSH, try these shell commands:
while read line; do echo "$line" | ssh-keygen -lf /dev/stdin; done < ~/.ssh/authorized_keysWith SHA-256 fingerprints:
grep -v "^#" ~/.ssh/authorized_keys | while read -r line; do
echo "$line" | ssh-keygen -E sha256 -lf /dev/stdin
doneHere's a more robust Python 3 solution:
#!/usr/bin/env python3
import subprocess
import sys
def get_fingerprints(file_path):
with open(file_path, 'r') as f:
for line in f:
line = line.strip()
if line and not line.startswith('#'):
try:
result = subprocess.run(
['ssh-keygen', '-lf', '/dev/stdin'],
input=line.encode(),
capture_output=True
)
print(line.split()[-1], "->", result.stdout.decode().strip())
except subprocess.CalledProcessError as e:
print(f"Error processing key: {e}")
if __name__ == "__main__":
get_fingerprints(sys.argv[1] if len(sys.argv) > 1 else f"{os.path.expanduser('~')}/.ssh/authorized_keys")For servers with hundreds of keys, consider this parallel processing approach:
cat ~/.ssh/authorized_keys | parallel --pipe -N1 "echo {} | ssh-keygen -lf /dev/stdin"Remember these best practices when working with SSH fingerprints:
- Always verify fingerprints through secure channels
- Consider using SHA-256 hashes (
-E sha256) for better security - Audit keys regularly with automated tools
When managing SSH access on Linux systems, administrators often need to verify the fingerprints of public keys stored in ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2 files. The standard ssh-keygen -l -f command only processes the first key in the file, which isn't sufficient for auditing multiple keys.
Recent versions of OpenSSH (7.2+) include a built-in solution:
ssh-keygen -lf ~/.ssh/authorized_keysThis will output all fingerprints with their corresponding key types and comments:
256 SHA256:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890 user@host1 (ECDSA)
2048 SHA256:ZyXwVuTsRqPoNmLkJiHgFeDcBa1234567890 user@host2 (RSA)For systems with older SSH versions, here are reliable alternatives:
Using awk (Single Command)
awk '{print $3}' ~/.ssh/authorized_keys | xargs -I {} ssh-keygen -lf <(echo "{}")Python Script
For more control and formatting options:
#!/usr/bin/env python3
import os
import subprocess
key_file = os.path.expanduser('~/.ssh/authorized_keys')
with open(key_file, 'r') as f:
for line in f:
line = line.strip()
if line and not line.startswith('#'):
cmd = f'echo "{line}" | ssh-keygen -lf -'
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
print(result.stdout.strip())The fingerprint output typically includes:
- Key bit length (2048, 4096, etc.)
- Hash algorithm (SHA256 by default)
- The actual fingerprint
- Key comment (if present)
When scripting these solutions:
- Avoid writing temporary files with sensitive key material
- Use process substitution (
<(command)) when possible - Consider using
SHA256instead of the legacyMD5format
For system administrators managing multiple servers:
for server in $(cat server_list.txt); do
echo "=== ${server} ==="
ssh ${server} "ssh-keygen -lf ~/.ssh/authorized_keys"
done