Search code examples
rubybashsshmd5ssh-keygen

How can I get an MD5 fingerprint (signature) of an SSH public key from a string


Is there a way to get an MD5 fingerprint (signature) of a public key if I have a string of that key rather than a file?

ssh-keygen -l -E md5 -f "path/to/file"

This command will give me (among other things) the MD5 fingerprint (signature) of the key. I have read the man page for the ssh-keygen command and experimented in my shell, but I have not been able to get it to work on a string rather than a file. I can found no argument that takes a string, and I have tried piping in the string and also using STDIN to supply the string to ssh-keygen - all without success.

I have tried using Ruby and Digest::MD5.hexdigest on the string, but either I am not supplying the correct string or I need to be using some other hash mechanism because I've had no luck with that either. (I've tried various substrings of the key)

I could, of course, write the string to a temp file and then use ssh-keygen on that file, but it just seems like I shouldn't have to.

I would ultimately like to solve this problem in Ruby, but I can start with a unix utility or bash solution. If need be I can always execute the shell command from Ruby.

If it matters, I am running a bash (GNU bash, version 3.2.57(1)) shell on macOS Mojave (10.14.6) and Ruby 2.6.4

Edit: I changed the term from signature to fingerprint but left signature in parentheses. I have seen both terms used, but I believe fingerprint is the more common.


Solution

  • I decided to search for a Ruby Gem that solves the problem. I found this one: https://github.com/bensie/sshkey. Digging around the source code, I discovered that I need to Base64 decode the key part of the string, and then do a Digest::MD5.hexdigest on that to get the fingerprint of the key.

    string = "ssh-rsa aabbccddqq== comment goes here" # not a real key
    key = string.split(" ")[1]
    fingerprint = Digest::MD5.hexdigest(Base64.decode64(key))
    

    I used the term "signature" in the original question, I have edited that question to add "fingerprint" as an alternate term