SSH

Fingerprints

The administrator can notify the users via some unalterable method of the expected fingerprint of the new host key and information when the new key will be taken into use.

The displayed fingerprint type on the client-side depends on the implementation and version of the client. For example recent Tectia Clients by default show both the Babble format and SHA256 base64 format fingerprints, recent OpenSSH clients show SHA256 base64 format fingerprint and PuTTY shows the RFC 4716 format fingerprint.

To obtain the fingerprints in Tectia Server Configuration GUI → Identity > Edit shows all three fingerprints of the current host key and any other host keys that are explicitly configured. Alternatively, on the Tectia Server command-line:

ssh-keygen-g3 --hash sha256 --fingerprint-type base64 -F hostkey_new.pub
ssh-keygen-g3 -F hostkey_new.pub
ssh-keygen-g3 --rfc4716 -F hostkey_new.pub
ssh-keygen-g3 --hash sha1 --fingerprint-type hex -F hostkey_new.pub      

or

ssh-server-ctl status 

Output shows SHA256 fingerprints for configured and any .next host keys used in automated rotation if enabled.