When Automation Workshop is connecting to a server with SFTP and SCP protocols, cryptographic RSA keys (or similar keys) are used. User can choose to accept either any public key or only the keys that match particular fingerprint (cryptographic checksum). Accepting only the keys with known checksums prevents the possibility of man-in-the-middle attack.
If user sets validate server option to accept any fingerprint, Automation Workshop accepts any key that a server returns.
If user chooses to accept only keys with particular fingerprints, these fingerprints have to be provided. User can specify multiple comma, semicolon or pipe-separated fingerprints. To seamlessly transition from an old server to a new server user can specify fingerprints of both old and new servers · Get FTPS or WebDAV fingerprints securely
MD5 fingerprint?
How to get public key fingerprint? It is possible to find out the public key fingerprint by performing a few commands on the server. Many servers use 4 keys simultaneously, each made with different digital signature algorithm such as RSA, DSA, ECDSA or ED25519.
Depending on preferred algorithm, user can choose which key file to take. In many cases RSA keys are used. To get a key in a format that can be used with Automation Workshop, user has to retrieve the SSH public key fingerprint and convert it.
RSA key
For RSA key run the following command and edit result:
sudo ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_rsa_key
2048 MD5:cc:68:2d:7c:95:a6:ea:14:5c:a0:14:fa:9a:5b:6e:26 root@ip-172-31-82-18 (RSA)In the returned string remove MD5: from the beginning of the key and everything after the key. Add ssh-rsa in the beginning, so the final string looks like this:
ssh-rsa 2048 cc:68:2d:7c:95:a6:ea:14:5c:a0:14:fa:9a:5b:6e:26DSA key
For DSA key run the following command and edit result:
sudo ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_dsa_key
1024 MD5:0e:a7:1d:88:36:7f:be:97:16:7a:7c:52:76:c5:ca:99 root@ip-172-31-82-18 (DSA)In the returned string remove MD5: from the beginning of the key and everything after the key. Add ssh-dss in the beginning, so the final string looks like this:
ssh-dss 1024 0e:a7:1d:88:36:7f:be:97:16:7a:7c:52:76:c5:ca:99ECDSA key
For ECDSA key run the following command and edit result:
sudo ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_ecdsa_key
256 MD5:84:49:6b:af:8a:cd:84:ea:ea:27:67:f3:67:52:fb:ae root@ip-172-31-82-18 (ECDSA)In the returned string remove MD5: from the beginning of the key and everything after the key. Add ecdsa-sha2-nistp256 in the beginning, so the final string looks like this:
ecdsa-sha2-nistp256 256 84:49:6b:af:8a:cd:84:ea:ea:27:67:f3:67:52:fb:aeED25519 key
For ED25519 key run the following command and edit result:
sudo ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_ed25519_key
256 MD5:43:4f:48:e8:7d:3b:a8:15:0a:c8:8d:0a:56:32:27:64 root@ip-172-31-82-18 (ED25519)In the returned string remove MD5: from the beginning of the key and everything after the key. Add ssh-ed25519 in the beginning, so the final string looks like this:
ssh-ed25519 256 43:4f:48:e8:7d:3b:a8:15:0a:c8:8d:0a:56:32:27:64SHA256 fingerprint?
Alternatively, user can choose a different hash algorithm by omitting the -E argument.
RSA key
For RSA key run the following command and edit result:
sudo ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 SHA256:6c3k0RwFLVhK7rYa8yDGayedWafip37WOeTXGqP6cRA root@ip-172-31-82-18 (RSA)In the returned string remove SHA256: from the beginning of the key and everything after the key. Put an = character at the end of the string and add a ssh-rsa prefix, so that the final string looks like this:
ssh-rsa 2048 6c3k0RwFLVhK7rYa8yDGayedWafip37WOeTXGqP6cRA=DSA key
For DSA key run the following command and edit result:
sudo ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key
1024 SHA256:ATx6RcbwUwyE9Lrm4yAPX0G2sUo+CKsmA4pdyEhCt5A root@ip-172-31-82-18 (DSA)In the returned string remove SHA256: from the beginning of the key and everything after the key. Put an = character at the end of the string and add a ssh-dss prefix, so that the final string looks like this:
ssh-dss 1024 ATx6RcbwUwyE9Lrm4yAPX0G2sUo+CKsmA4pdyEhCt5A=ECDSA key
For ECDSA key run the following command and edit result:
sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
256 SHA256:yP/wF6NAzTSu69QvJkX/A2pGvzT4Vtc9gvj/iW9YjEU root@ip-172-31-82-18 (ECDSA)In the returned string remove SHA256: from the beginning of the key and everything after the key. Put an equal = character at the end of the string and add a ecdsa-sha2 prefix, so that the final string looks like this:
ecdsa-sha2-nistp256 256 yP/wF6NAzTSu69QvJkX/A2pGvzT4Vtc9gvj/iW9YjEU=ED25519 key
For ED25519 key run the following command and edit result:
sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key
256 SHA256:Xpuc85iZRODggOCuoZJo/A2OSIJ2P59W81AlwARBR1k root@ip-172-31-82-18 (ED25519)In the returned string remove SHA256: from the beginning of the key and everything after the key. Put an = character at the end of the string and add a ssh-ed25519 prefix, so that the final string looks like this:
ssh-ed25519 256 Xpuc85iZRODggOCuoZJo/A2OSIJ2P59W81AlwARBR1k=Which fingerprint to choose?
A fingerprint can be displayed in various ways, such as SHA-256 letter sequence or as MD5 hexadecimal colon-separated bytes. For example:
# SHA-256 letter sequence…
ssh-rsa 2048 6c3k0RwFLVhK7rYa8yDGayedWafip37WOeTXGqP6cRA=
# MD5 hexadecimal colon-separated sequence…
ssh-rsa 2048 cc:68:2d:7c:95:a6:ea:14:5c:a0:14:fa:9a:5b:6e:26Server can use different cryptographic algorithms. For each encryption standard, the server can have a separate private key with its own fingerprint.
Actions & fingerprints
Actions & CA certificates
Automate Tasks now!
Assistance is here…
If you have any questions, please do not hesitate to contact our support team.