mttjohnson/validate_ssh_key.sh

## validate_ssh_key.sh
# When you SSH into a server for the first time it prompts you if you trust the remote server's host key
# To validate that they key you received is the same as the server you just logged into you can check
# the fingerprint of the host key on the remote server itself.

# Output fingerprint of system's host key
ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

# You can fingerprint both the private and public key from a file
# They should both produce the same fingerprint value.
ssh-keygen -l -f ~/.ssh/id_ed25519.pub
ssh-keygen -l -f ~/.ssh/id_ed25519

# Digital Ocean lists ssh key fingerprints in MD5 format
ssh-keygen -l -f ~/.ssh/id_ed25519.pub -E md5

# You can specify the fingerprint format type to be explicitly SHA256 if needed
# The SHA256 output from ssh-keygen is Base64 encoded.
ssh-keygen -l -f ~/.ssh/id_ed25519.pub -E sha256

# You can also do this from a piped string if you don't have the contents in a file:
echo "XXXXXXXXXXX_PUBLIC_KEY_CONTENTS_HERE_XXXXXXXXXXX" | ssh-keygen -l -f /dev/stdin

# To check and see if a private key is encrypted you can generate the public key from the private
# If it prompts for a password the private key is encrypted, otherwise it is not.
ssh-keygen -y -f ~/.ssh/id_ed25519

# You can also do this from a variable if you don't have the contents in a file:
PRIVATE_KEY="XXXXXXXXXXX_PUBLIC_KEY_CONTENTS_HERE_XXXXXXXXXXX"
ssh-keygen -y -f /dev/stdin <<< "${PRIVATE_KEY}"

# During ssh login you can use the -v option to display additional debug
# information and see the fingerprint of keys being used to authenticate
ssh user@host -v

# On CentOS/RedHat servers there is an audit log that will list keys being used in authentiction of SSH connections
# The key fingerprint format in this log file tends to bein Hex Octets rather than Base64 encoded, so some conversion
# would be required to match a key fingerprint with the ones listed in the log file.
cat /var/log/audit/audit.log
	# When you SSH into a server for the first time it prompts you if you trust the remote server's host key
	# To validate that they key you received is the same as the server you just logged into you can check
	# the fingerprint of the host key on the remote server itself.

	# Output fingerprint of system's host key
	ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

	# You can fingerprint both the private and public key from a file
	# They should both produce the same fingerprint value.
	ssh-keygen -l -f ~/.ssh/id_ed25519.pub
	ssh-keygen -l -f ~/.ssh/id_ed25519

	# Digital Ocean lists ssh key fingerprints in MD5 format
	ssh-keygen -l -f ~/.ssh/id_ed25519.pub -E md5

	# You can specify the fingerprint format type to be explicitly SHA256 if needed
	# The SHA256 output from ssh-keygen is Base64 encoded.
	ssh-keygen -l -f ~/.ssh/id_ed25519.pub -E sha256

	# You can also do this from a piped string if you don't have the contents in a file:
	echo "XXXXXXXXXXX_PUBLIC_KEY_CONTENTS_HERE_XXXXXXXXXXX" \| ssh-keygen -l -f /dev/stdin

	# To check and see if a private key is encrypted you can generate the public key from the private
	# If it prompts for a password the private key is encrypted, otherwise it is not.
	ssh-keygen -y -f ~/.ssh/id_ed25519

	# You can also do this from a variable if you don't have the contents in a file:
	PRIVATE_KEY="XXXXXXXXXXX_PUBLIC_KEY_CONTENTS_HERE_XXXXXXXXXXX"
	ssh-keygen -y -f /dev/stdin <<< "${PRIVATE_KEY}"

	# During ssh login you can use the -v option to display additional debug
	# information and see the fingerprint of keys being used to authenticate
	ssh user@host -v

	# On CentOS/RedHat servers there is an audit log that will list keys being used in authentiction of SSH connections
	# The key fingerprint format in this log file tends to bein Hex Octets rather than Base64 encoded, so some conversion
	# would be required to match a key fingerprint with the ones listed in the log file.
	cat /var/log/audit/audit.log