How to verify SSH host key fingerprints before connecting

Verifying SSH host key fingerprints prevents impersonation of remote systems and reduces the risk of man-in-the-middle attacks on untrusted networks. Confirming that a host key belongs to the intended server before trusting it keeps administrative access, automation jobs, and file transfers bound to the correct endpoint.

On Linux systems running OpenSSH, each server stores long-term host keys in /etc/ssh and presents one of these keys during the SSH handshake. The client derives a compact fingerprint (typically using SHA256) from the server’s public host key and displays it, or records it in /~/.ssh/known_hosts after acceptance. Comparing this fingerprint against an independent reference confirms that the key is legitimate.

Host key verification relies on a trusted out-of-band reference such as a console session, configuration management output, or documentation supplied by a server administrator. Any mismatch between the reference fingerprint and what the client sees must be treated as a potential compromise rather than a cosmetic warning, especially when host keys unexpectedly change after reinstallation or migration.

Related: How to resolve the "Remote Host Identification Has Changed" SSH warning
Related: How to connect to an SSH server from Linux
Related: How to view SSH client configuration

Steps to verify SSH host key fingerprints:

  1. Open a terminal on the SSH server with root or sudo access. 
    $ whoami
root
  2. List available SSH host public key files to identify the key types managed by sshd. 
    $ sudo ls /etc/ssh/ssh_host_*_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_rsa_key.pub
  3. Display the ED25519 host key fingerprint in SHA256 format. 
    $ sudo ssh-keygen -l -E sha256 -f /etc/ssh/ssh_host_ed25519_key.pub
256 SHA256:W8JdNBQbOLbfHYW4TeYr5i2x95TaTYG9MTc/q4FJZYc root@host (ED25519)

    The first field shows key size in bits, followed by the fingerprint and the key comment, which usually includes the hostname.

  4. Record the fingerprint string from the server in a trusted location such as a secure ticket, password manager note, or console log.

    The reference fingerprint must travel over a trusted channel so attackers cannot replace it with a forged value.

  5. Open a terminal on the SSH client that will initiate the connection to the server. 
    $ whoami
user
  6. Start the initial SSH connection to the server without accepting the host key yet. 
    $ ssh user@host.example.net
The authenticity of host 'host.example.net (203.0.113.50)' can't be established.
ED25519 key fingerprint is SHA256:W8JdNBQbOLbfHYW4TeYr5i2x95TaTYG9MTc/q4FJZYc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

    The fingerprint printed here is calculated from the host key presented during the SSH handshake.

  7. Compare the fingerprint shown by ssh with the reference fingerprint obtained from the server.

    Do not continue if the fingerprints differ, the key type changes unexpectedly, or the hostname and address look unfamiliar, as this can indicate a man-in-the-middle attack.

  8. Abort the connection if the fingerprint does not match or any detail appears suspicious. 
    $ ssh user@host.example.net
The authenticity of host 'host.example.net (203.0.113.50)' can't be established.
ED25519 key fingerprint is SHA256:W8JdNBQbOLbfHYW4TeYr5i2x95TaTYG9MTc/q4FJZYc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? no
Host key verification failed.
  9. Accept the host key only after confirming an exact match between the displayed fingerprint and the trusted reference. 
    $ ssh user@host.example.net
The authenticity of host 'host.example.net (203.0.113.50)' can't be established.
ED25519 key fingerprint is SHA256:W8JdNBQbOLbfHYW4TeYr5i2x95TaTYG9MTc/q4FJZYc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'host.example.net' (ED25519) to the list of known hosts.
host

    The accepted host key is now stored in /home/user/.ssh/known_hosts and will be reused for future connections.

  10. Inspect the personal known hosts file to confirm that the correct host key entry has been written. 
    $ ssh-keygen -F host.example.net -f ~/.ssh/known_hosts_verify
# Host host.example.net found: line 1 
|1|SuxTynrYi412kitWWhpYBA6yAOk=|htNFfrqwLwrmDhDXeh01vd0Nl4o= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHStQ+p31F0FHXP0fsP9CSA70OMNgdge6AwlAYOoidV/
  11. Verify that subsequent SSH connections proceed without the unknown host warning while still using the same host key. 
    $ ssh -o UserKnownHostsFile=~/.ssh/known_hosts_verify user@host.example.net 'hostname'
host

    ssh-keyscan combined with ssh-keygen -lf - can pre-populate and verify host keys non-interactively in automation workflows once a trusted fingerprint is available.