How to use ssh hostkey from a Linux server with plink.exe on a Windows host?

Solution 1:

You can use plink itself to get the host key:

c:\> plink -v -batch host
Connecting to 1.2.3.4 port 22
We claim version: SSH-2.0-PuTTY_Release_0.68
Server version: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1
Using SSH protocol version 2
Doing ECDH key exchange with curve Curve25519 and hash SHA-256
Server also has ssh-ed25519/ecdsa-sha2-nistp256 host keys, but we don't know any of them
Host key fingerprint is:
ssh-rsa 2048 c6:e7:49:ec:07:5b:30:02:d9:57:dd:7f:39:e3:f3:35
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Disconnected: Unable to authenticate

The parameter -v (verbose) is needed for the additional information, -batch makes sure plink exits directly without a login (as long as username and password are not provided as well).

In the output you find Host key fingerprint is:, followed by the fingerprint in a hexadecimal format, in this case:

c6:e7:49:ec:07:5b:30:02:d9:57:dd:7f:39:e3:f3:35

This is the string you have to provide to plink -hostkey to confirm that the target host is actually the host it claims to be.

Solution 2:

You can get the fingerprint of the key from the target host itself by running:

$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /etc/ssh/ssh_host_rsa_key.pub (RSA)

Later versions of ssh-keygen default to SHA-256 so you can get the original MD5 behaviour with:

$ ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_rsa_key.pub
2048 MD5:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff /etc/ssh/ssh_host_rsa_key.pub (RSA)

Just strip off the MD5: prefix. Adjust the path to the key based on the value of your HostKey directives in /etc/ssh/sshd_config.