MawKKe/ssh-key-fingerprints

## ssh-key-fingerprints
#!/usr/bin/env sh

# Author: Markus H (MawKKe) ekkwam@gmail.com

set -eu

PNAME="$(basename ${0})"

# OpenSSH default checksum type as of 2021-07
E=sha256

# The ~/.ssh directory may contain many files; we want to process only SSH
# private keys. Only files that contain this sequence of words (delimited by
# whitespace) are assumed to be a private keys.
PRIVKEYTAG="BEGIN\s+OPENSSH\s+PRIVATE\s+KEY"

usage() {
    echo "Prints OpenSSH key fingerprints for all private keys found in ~/.ssh and any of its subdirectories"
    echo ""
    echo "(Note: This script assumes private key files contain substring '${PRIVKEYTAG}')"
    echo ""
    echo "Usage:"
    echo "  ${PNAME} -h              # Print this help"
    echo "  ${PNAME} -E (sha256|md5) # Print fingerprints; use given checksum format"
    echo "  ${PNAME}                 # Equivalent to '${PNAME} -E ${E}'"
    echo ""
    echo "HINT: The old hexadecimal fingerprints can be shown with '${PNAME} -E md5'"
}

while getopts ":hE:" arg; do
    case ${arg} in
        h)
            usage
            exit 0
            ;;
        E)
            if [ ${OPTARG} != "md5" -a ${OPTARG} != "sha256" ] ; then
                echo "ERROR: Invalid/unknown hash function name passed to -E"
                exit 1
            else
                E=${OPTARG}
            fi
            ;;
        :)
            echo "The switch -${OPTARG} requires an argument"
            exit 1
            ;;
        ?)
            echo "Invalid option: -${OPTARG}"
            exit 2
            ;;
    esac
done

shift $(expr ${OPTIND} - 1 )

if [ ${#} -gt 0 ]; then
    echo "WARNING: Ignoring trailing argument(s) '${@}'"
fi

for f in $(find ~/.ssh/ -type f -exec grep -ilE "${PRIVKEYTAG}" {} +); do
    echo $(ssh-keygen -l -E "${E}" -f "${f}") ${f}
done | sort -k 3 -r

# Example output:
# $ ssh-key-fingerprints -E md5 | column -t
# 4096  MD5:8d:40:4f:54:aa:df:1a:28:3b:3e:5a:2e:73:94:8e:ae  user@hostname  (RSA)      /home/user/.ssh/id_rsa_bar
# 256   MD5:76:41:1e:75:de:5b:11:67:34:df:c2:33:6e:12:b5:43  user@hostname  (ED25519)  /home/user/.ssh/id_ed25519_foo
	#!/usr/bin/env sh

	# Author: Markus H (MawKKe) ekkwam@gmail.com

	set -eu

	PNAME="$(basename ${0})"

	# OpenSSH default checksum type as of 2021-07
	E=sha256

	# The ~/.ssh directory may contain many files; we want to process only SSH
	# private keys. Only files that contain this sequence of words (delimited by
	# whitespace) are assumed to be a private keys.
	PRIVKEYTAG="BEGIN\s+OPENSSH\s+PRIVATE\s+KEY"

	usage() {
	echo "Prints OpenSSH key fingerprints for all private keys found in ~/.ssh and any of its subdirectories"
	echo ""
	echo "(Note: This script assumes private key files contain substring '${PRIVKEYTAG}')"
	echo ""
	echo "Usage:"
	echo " ${PNAME} -h # Print this help"
	echo " ${PNAME} -E (sha256\|md5) # Print fingerprints; use given checksum format"
	echo " ${PNAME} # Equivalent to '${PNAME} -E ${E}'"
	echo ""
	echo "HINT: The old hexadecimal fingerprints can be shown with '${PNAME} -E md5'"
	}

	while getopts ":hE:" arg; do
	case ${arg} in
	h)
	usage
	exit 0
	;;
	E)
	if [ ${OPTARG} != "md5" -a ${OPTARG} != "sha256" ] ; then
	echo "ERROR: Invalid/unknown hash function name passed to -E"
	exit 1
	else
	E=${OPTARG}
	fi
	;;
	:)
	echo "The switch -${OPTARG} requires an argument"
	exit 1
	;;
	?)
	echo "Invalid option: -${OPTARG}"
	exit 2
	;;
	esac
	done

	shift $(expr ${OPTIND} - 1 )

	if [ ${#} -gt 0 ]; then
	echo "WARNING: Ignoring trailing argument(s) '${@}'"
	fi

	for f in $(find ~/.ssh/ -type f -exec grep -ilE "${PRIVKEYTAG}" {} +); do
	echo $(ssh-keygen -l -E "${E}" -f "${f}") ${f}
	done \| sort -k 3 -r

	# Example output:
	# $ ssh-key-fingerprints -E md5 \| column -t
	# 4096 MD5:8d:40:4f:54:aa:df:1a:28:3b:3e:5a:2e:73:94:8e:ae user@hostname (RSA) /home/user/.ssh/id_rsa_bar
	# 256 MD5:76:41:1e:75:de:5b:11:67:34:df:c2:33:6e:12:b5:43 user@hostname (ED25519) /home/user/.ssh/id_ed25519_foo