How to verify SSH host key fingerprints before connecting

Verifying SSH host key fingerprints prevents impersonation of remote systems and reduces the risk of man-in-the-middle attacks on untrusted networks. Confirming that a host key belongs to the intended server before trusting it keeps administrative access, automation jobs, and file transfers bound to the correct endpoint.

On Linux systems running OpenSSH, each server stores long-term host keys in /etc/ssh and presents one of these keys during the SSH handshake. The client derives a compact fingerprint (typically using SHA256) from the server’s public host key and displays it, or records it in /~/.ssh/known_hosts after acceptance. Comparing this fingerprint against an independent reference confirms that the key is legitimate.

Host key verification relies on a trusted out-of-band reference such as a console session, configuration management output, or documentation supplied by a server administrator. Any mismatch between the reference fingerprint and what the client sees must be treated as a potential compromise rather than a cosmetic warning, especially when host keys unexpectedly change after reinstallation or migration.

1. Open a terminal on the SSH server with root or sudo access.

   $ whoami
   root

2. List available SSH host public key files to identify the key types managed by sshd.

   $ sudo ls /etc/ssh/ssh_host_*_key.pub
   /etc/ssh/ssh_host_ed25519_key.pub
   /etc/ssh/ssh_host_rsa_key.pub

3. Display the ED25519 host key fingerprint in SHA256 format.

   $ sudo ssh-keygen -l -E sha256 -f /etc/ssh/ssh_host_ed25519_key.pub
   256 SHA256:YZdUkfj2vw5fZQb7f8x1rSUxgC8hWrV7q+5qX+vW5zE root@server.example.com (ED25519)

   The first field shows key size in bits, followed by the fingerprint and the key comment, which usually includes the hostname.

4. Record the fingerprint string from the server in a trusted location such as a secure ticket, password manager note, or console log.

   The reference fingerprint must travel over a trusted channel so attackers cannot replace it with a forged value.

5. Open a terminal on the SSH client that will initiate the connection to the server.

   $ whoami
   alice

6. Start the initial SSH connection to the server without accepting the host key yet.

   $ ssh alice@server.example.com
   The authenticity of host 'server.example.com (203.0.113.10)' can't be established.
   ED25519 key fingerprint is SHA256:YZdUkfj2vw5fZQb7f8x1rSUxgC8hWrV7q+5qX+vW5zE.
   Are you sure you want to continue connecting (yes/no)?

   The fingerprint printed here is calculated from the host key presented during the SSH handshake.

7. Compare the fingerprint shown by ssh with the reference fingerprint obtained from the server.

   Do not continue if the fingerprints differ, the key type changes unexpectedly, or the hostname and address look unfamiliar, as this can indicate a man-in-the-middle attack.

8. Abort the connection if the fingerprint does not match or any detail appears suspicious.

   $ ssh alice@server.example.com
   The authenticity of host 'server.example.com (203.0.113.10)' can't be established.
   ED25519 key fingerprint is SHA256:ABCD...mismatched...1234.
   Are you sure you want to continue connecting (yes/no)? no

9. Accept the host key only after confirming an exact match between the displayed fingerprint and the trusted reference.

   $ ssh alice@server.example.com
   The authenticity of host 'server.example.com (203.0.113.10)' can't be established.
   ED25519 key fingerprint is SHA256:YZdUkfj2vw5fZQb7f8x1rSUxgC8hWrV7q+5qX+vW5zE.
   Are you sure you want to continue connecting (yes/no)? yes
   Warning: Permanently added 'server.example.com,203.0.113.10' (ED25519) to the list of known hosts.
   Welcome to Ubuntu 22.04 LTS

   The accepted host key is now stored in /home/alice/.ssh/known_hosts and will be reused for future connections.

10. Inspect the personal known hosts file to confirm that the correct host key entry has been written.

    $ grep server.example.com ~/.ssh/known_hosts
    server.example.com,203.0.113.10 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7cG0cd1q9I6+1Kc1sE1o1C0Qh9qC+0TqZ4F1bM3z8n

11. Verify that subsequent SSH connections proceed without the unknown host warning while still using the same host key.

    $ ssh alice@server.example.com
    Welcome to Ubuntu 22.04 LTS
    alice@server:~$

    ssh-keyscan combined with ssh-keygen -lf - can pre-populate and verify host keys non-interactively in automation workflows once a trusted fingerprint is available.