2012-03-07

generating a fingerprint for an SSH key

After recently discovering a security vulnerability that allows an attacker to add an SSH key to a GitHub user account, GitHub is requiring all users to audit their SSH keys. Its audit page lists one's keys by type and fingerprint, but it doesn't say how it generated the fingerprint or how to generate one for your local copy of a key to compare it with. Nor does it let you see the whole key.

And since I don't generate such fingerprints very often, I didn't know how to do it. So I tried cksum, md5, and shasum on my Mac, but none of their checksums matched. Turns out the tool to use is ssh-keygen:

    ssh-keygen -l -f path/to/keyfile

2 comments:

FĂ©lix said...

Actually, they do say how to: just above the audit box, there's a link pointing to a help page: http://help.github.com/verify-ssh-redirect/

Myk Melez said...

Hmm, I didn't see that when I first went to the page. I wonder if they added it after I complained to them about it this morning. :-)