What is the SHA256 that comes on the sshd entry in auth.log?

Question

When logging in via ssh, it can be seen the following on auth.log:

Dec 14 16:29:30 app sshd[22781]: Accepted publickey for dev from XXX.XXX.XX.XXX port XXXXX ssh2: RSA SHA256:pO8i...

I've been trying to figure out what is this SHA256 information, but I couldn't find anything that seems to match. First I thought it could be some information from the client (public key, fingerprint, hashed hostname etc) I'm connecting from, but I didn't find anything to confirm, neither at the server side.

The closest information I've found is here, but I didn't understand when it says "And here is an example using a key for authentication. It shows the kewy (a misspelling, probably) fingerprint as a SHA256 hash in base64.", since I haven't found a corresponding key fingerprint of any kind.

Thank you.

Answer 1

This is the SHA256 hash for the RSA public key which was used to authenticate the SSH session.

This is how to verify it:

ssh-keygen -lf .ssh/id_rsa.pub

Or, to verify without ssh-keygen:

• Remove the ssh-rsa prefix
• Decode the key to bytes using base64
• Get the SHA256 hash for the key (as bytes, not hex)
• Encode the bytes using base64

For example:

cat .ssh/id_rsa.pub    |
    awk '{ print $2 }' | # Only the actual key data without prefix or comments
    base64 -d          | # decode as base64
    sha256sum          | # SHA256 hash (returns hex)
    awk '{ print $1 }' | # only the hex data
    xxd -r -p          | # hex to bytes
    base64               # encode as base64

Answer 2

Had the same question on macOS 10.13.6, where your answer just needed a couple of tweaks:

cat .ssh/id_rsa.pub    |
    awk '{ print $2 }' | # Only the actual key data without prefix or comments
    base64 -D          | # decode as base64
    shasum -a 256      | # SHA256 hash (returns hex)
    awk '{ print $1 }' | # only the hex data
    xxd -r -p          | # hex to bytes
    base64               # encode as base64

Thanks v. much.