What is the SHA256 that comes on the sshd entry in auth.log?
When logging in via ssh, it can be seen the following on auth.log:
Dec 14 16:29:30 app sshd[22781]: Accepted publickey for dev from XXX.XXX.XX.XXX port XXXXX ssh2: RSA SHA256:pO8i...
I've been trying to figure out what is this SHA256 information, but I couldn't find anything that seems to match. First I thought it could be some information from the client (public key, fingerprint, hashed hostname etc) I'm connecting from, but I didn't find anything to confirm, neither at the server side.
The closest information I've found is here, but I didn't understand when it says "And here is an example using a key for authentication. It shows the kewy (a misspelling, probably) fingerprint as a SHA256 hash in base64.", since I haven't found a corresponding key fingerprint of any kind.
Thank you.
Solution 1:
This is the SHA256 hash for the RSA public key which was used to authenticate the SSH session.
This is how to verify it:
ssh-keygen -lf .ssh/id_rsa.pub
Or, to verify without ssh-keygen:
- Remove the
ssh-rsaprefix - Decode the key to bytes using
base64 - Get the
SHA256hash for the key (as bytes, not hex) - Encode the bytes using
base64
For example:
cat .ssh/id_rsa.pub |
awk '{ print $2 }' | # Only the actual key data without prefix or comments
base64 -d | # decode as base64
sha256sum | # SHA256 hash (returns hex)
awk '{ print $1 }' | # only the hex data
xxd -r -p | # hex to bytes
base64 # encode as base64
Solution 2:
Had the same question on macOS 10.13.6, where your answer just needed a couple of tweaks:
cat .ssh/id_rsa.pub |
awk '{ print $2 }' | # Only the actual key data without prefix or comments
base64 -D | # decode as base64
shasum -a 256 | # SHA256 hash (returns hex)
awk '{ print $1 }' | # only the hex data
xxd -r -p | # hex to bytes
base64 # encode as base64
Thanks v. much.