Fingerprint of PEM ssh key

Question

I have a PEM file which I add to a running ssh-agent:

$ file query.pem
query.pem: PEM RSA private key

$ ssh-add ./query.pem
Identity added: ./query.pem (./query.pem)

$ ssh-add -l | grep query
2048 ef:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX ./query.pem (RSA)

How can I get the key's fingerprint (which I see in ssh-agent) directly from the file? I know ssh-keygen -l -f some_key works for "normal" ssh keys, but not for PEM files.

If I try ssh-keygen on the .pem file, I get:

$ ssh-keygen -l -f ./query.pem                                             
key_read: uudecode PRIVATE KEY----- failed
key_read: uudecode PRIVATE KEY----- failed
./query.pem is not a public key file.

This key starts with:

-----BEGIN RSA PRIVATE KEY-----
MIIEp.... etc.

as opposed to a "regular" private key, which looks like:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,E15F2.... etc.

Answer 1

AWS's "Verifying Your Key-Pair's Fingerprint" provides two one-liners that solves the problem, depending upon how your key was created.

If you created your key pair using AWS:

$ openssl pkcs8 -in query.pem -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

Or, if you created your key pair with a third-party tool:

$ openssl rsa -in query.pem -pubout -outform DER | openssl md5 -c
writing RSA key
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

(fingerprints redacted in output above)

Answer 2

If you want to retrieve the fingerprint of your lost public key file, you can recover it from the private key file:

$ ssh-keygen -yf path/to/private_key_file > path/to/store/public_key_file

Then you are able to ascertain the public fingerprint:

$ ssh-keygen -lf path/to/store/public_key_file
2048 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX user@host (RSA)

On some newer systems, this prints the SHA256 fingerprint of the key. You can print the MD5 fingerprint of the key (the colon form) using option -E:

$ ssh-keygen -E md5 -lf path/to/store/public_key_file
2048 MD5:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host (RSA)

Or as one command line:

$ ssh-keygen -yf /etc/ssh/ssh_host_ecdsa_key | ssh-keygen -E md5 -lf -
2048 MD5:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host (RSA)

Answer 3

Here is a one liner that should do what you want without requiring the creation of a public key file locally.

$ ssh-keygen -lf /dev/stdin <<< $( ssh-keygen -f ~/.ssh/keyname.pem -y )
2048 14:df:c7:b7:f1:26:7f:87:d5:e7:10:6c:ac:af:a2:03 /dev/stdin (RSA)

This uses the bash here string <<< in order to have stdin available as a regular file (/dev/stdin) rather than a pipe as ssh-keygen will only operate on a file.

As of Release 7.2 of openssh ssh-keygen supports fingerprinting from standard input:

• ssh-keygen(1): allow fingerprinting from standard input, e.g. "ssh-keygen -lf -"

Note that this command will break with private keys that use a passphrase and are not using an agent. It should work with pem files generated by AWS or OpenStack which do not use passphrases.

See https://stackoverflow.com/questions/2635360/ssh-keygen-accepting-stdin for more info.

Answer 4

You don't get the fingerprint from the private key file but from the public key file.

In fact, ssh-keygen already told you this:

./query.pem is not a public key file.

Run it against the public half of the key and it should work.

More generally speaking

Think about it: the reason for the fingerprint to exists is that you can identify the public key. In fact, getting a hash of the private key is a potential security issue beside being useless to the server (which doesn't even HAVE the private key in question).

Once you have the public key, the process is to verify that client has a hold on the corresponding private half. Since you already know which keys aou're trying to verify, you don't need the fingerprint.