Quicky - SSH key fingerprint

Found some SSH private and public key files, but don't remember if they go together? Well, that's today's problem. A client asked for my public key for their lab, but I wasn't 100% confident that the public key I have on my local lab server matches the private key in my vault.

Let's say you generated a key pair using a modern encryption algorithm of ed25519, but you aren't sure if they are related.

ls /home/scottw/key_study

# id_ed25519
# id_ed25519.pub

Directory listing containing the public and private keys

There's two solutions. One, fingerprint both the public and private keys, their hashes should match. Two, generate a new public key file from the private key, and then do a diff of the original public key file and the new one. They should be identical.

Hash Comparison

ssh-keygen -l -f ./id_ed25519

# 256 SHA256:hzO8AQ55vQl0EfW43fdvBY4IakGX1G1jzL7PLI2zRxo redacted@gmail.com (ED25519)

ssh-keygen -l -f ./id_ed25519.pub
# (ED25519):hzO8AQ55vQl0EfW43fdvBY4IakGX1G1jzL7PLI2zRxo redacted@gmail.com

Compute the SHA256 hash of both keys

A visual comparison of both hashes is adequate to confirm these keys are related.

Public key regeneration

ssh-keygen -y -f ./id_ed25519 > /tmp/generated.pub
# Enter passphrase:

diff -Z /tmp/generated.pub ./id_ed25519.pub

Generate a temporary public key, diff the original and temporary

This tactic is arguably better, because, while you are doing this, you are also required to supply the private key's passphrase if you set one. If I had forgotten the passphrase, I would have caused chaos by uploading a public key that I couldn't actually use for authentication. The -Z parameter was necessary here (ignore-trailing-space), as either WSL or Windows ssh-keygen produced slightly different output, probably due to newline behavior.