🧡 Skip to main content🔎 Skip to search
Connect to SFTP · Fingerprints

When Automation Workshop is connecting to a server with SFTP and SCP protocols, cryptographic RSA keys (or similar keys) are used. User can choose to accept either any public key or only the keys that match particular fingerprint (cryptographic checksum). Accepting only the keys with known checksums prevents the possibility of man-in-the-middle attack.

If user sets validate server option to accept any fingerprint, Automation Workshop accepts any key that a server returns.

If user chooses to accept only keys with particular fingerprints, these fingerprints have to be provided. User can specify multiple comma, semicolon or pipe-separated fingerprints. To seamlessly transition from an old server to a new server user can specify fingerprints of both old and new servers · Get FTPS or WebDAV fingerprints securely

MD5 fingerprint?

How to get public key fingerprint? It is possible to find out the public key fingerprint by performing a few commands on the server. Many servers use 4 keys simultaneously, each made with different digital signature algorithm such as RSA, DSA, ECDSA or ED25519.

Depending on preferred algorithm, user can choose which key file to take. In many cases RSA keys are used. To get a key in a format that can be used with Automation Workshop, user has to retrieve the SSH public key fingerprint and convert it.

RSA key

For RSA key run the following command and edit result:

sudo ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_rsa_key

2048 MD5:cc:68:2d:7c:95:a6:ea:14:5c:a0:14:fa:9a:5b:6e:26 root@ip-172-31-82-18 (RSA)

In the returned string remove MD5: from the beginning of the key and everything after the key. Add ssh-rsa in the beginning, so the final string looks like this:

ssh-rsa 2048 cc:68:2d:7c:95:a6:ea:14:5c:a0:14:fa:9a:5b:6e:26

DSA key

For DSA key run the following command and edit result:

sudo ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_dsa_key

1024 MD5:0e:a7:1d:88:36:7f:be:97:16:7a:7c:52:76:c5:ca:99 root@ip-172-31-82-18 (DSA)

In the returned string remove MD5: from the beginning of the key and everything after the key. Add ssh-dss in the beginning, so the final string looks like this:

ssh-dss 1024 0e:a7:1d:88:36:7f:be:97:16:7a:7c:52:76:c5:ca:99

ECDSA key

For ECDSA key run the following command and edit result:

sudo ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_ecdsa_key

256 MD5:84:49:6b:af:8a:cd:84:ea:ea:27:67:f3:67:52:fb:ae root@ip-172-31-82-18 (ECDSA)

In the returned string remove MD5: from the beginning of the key and everything after the key. Add ecdsa-sha2-nistp256 in the beginning, so the final string looks like this:

ecdsa-sha2-nistp256 256 84:49:6b:af:8a:cd:84:ea:ea:27:67:f3:67:52:fb:ae

ED25519 key

For ED25519 key run the following command and edit result:

sudo ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_ed25519_key

256 MD5:43:4f:48:e8:7d:3b:a8:15:0a:c8:8d:0a:56:32:27:64 root@ip-172-31-82-18 (ED25519)

In the returned string remove MD5: from the beginning of the key and everything after the key. Add ssh-ed25519 in the beginning, so the final string looks like this:

ssh-ed25519 256 43:4f:48:e8:7d:3b:a8:15:0a:c8:8d:0a:56:32:27:64

SHA256 fingerprint?

Alternatively, user can choose a different hash algorithm by omitting the -E argument.

RSA key

For RSA key run the following command and edit result:

sudo ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

2048 SHA256:6c3k0RwFLVhK7rYa8yDGayedWafip37WOeTXGqP6cRA root@ip-172-31-82-18 (RSA)

In the returned string remove SHA256: from the beginning of the key and everything after the key. Put an = character at the end of the string and add a ssh-rsa prefix, so that the final string looks like this:

ssh-rsa 2048 6c3k0RwFLVhK7rYa8yDGayedWafip37WOeTXGqP6cRA=

DSA key

For DSA key run the following command and edit result:

sudo ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key

1024 SHA256:ATx6RcbwUwyE9Lrm4yAPX0G2sUo+CKsmA4pdyEhCt5A root@ip-172-31-82-18 (DSA)

In the returned string remove SHA256: from the beginning of the key and everything after the key. Put an = character at the end of the string and add a ssh-dss prefix, so that the final string looks like this:

ssh-dss 1024 ATx6RcbwUwyE9Lrm4yAPX0G2sUo+CKsmA4pdyEhCt5A=

ECDSA key

For ECDSA key run the following command and edit result:

sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key

256 SHA256:yP/wF6NAzTSu69QvJkX/A2pGvzT4Vtc9gvj/iW9YjEU root@ip-172-31-82-18 (ECDSA)

In the returned string remove SHA256: from the beginning of the key and everything after the key. Put an equal = character at the end of the string and add a ecdsa-sha2 prefix, so that the final string looks like this:

ecdsa-sha2-nistp256 256 yP/wF6NAzTSu69QvJkX/A2pGvzT4Vtc9gvj/iW9YjEU=

ED25519 key

For ED25519 key run the following command and edit result:

sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key

256 SHA256:Xpuc85iZRODggOCuoZJo/A2OSIJ2P59W81AlwARBR1k root@ip-172-31-82-18 (ED25519)

In the returned string remove SHA256: from the beginning of the key and everything after the key. Put an = character at the end of the string and add a ssh-ed25519 prefix, so that the final string looks like this:

ssh-ed25519 256 Xpuc85iZRODggOCuoZJo/A2OSIJ2P59W81AlwARBR1k=

Which fingerprint to choose?

A fingerprint can be displayed in various ways, such as SHA-256 letter sequence or as MD5 hexadecimal colon-separated bytes. For example:

# SHA-256 letter sequence…
ssh-rsa 2048 6c3k0RwFLVhK7rYa8yDGayedWafip37WOeTXGqP6cRA=

# MD5 hexadecimal colon-separated sequence…
ssh-rsa 2048 cc:68:2d:7c:95:a6:ea:14:5c:a0:14:fa:9a:5b:6e:26

Server can use different cryptographic algorithms. For each encryption standard, the server can have a separate private key with its own fingerprint.

Actions & fingerprints

Actions & CA certificates

Automate Tasks now!

YouTube video · Monitor an FTP server & send file via email

Assistance is here…

If you have any questions, please do not hesitate to contact our support team.