If Github just sent you mail asking you to review your ssh key(s) due to their recent security breach, you will see a page that asks you to review your ssh keys by their fingerprint.

Since not everyone knows how to get the fingerprint for the key that they uploaded, I thought I’d help spread the word. (You can verify what I’m saying by reading the ssh-keygen man page.)

Run:

ssh-keygen -l -f ~/.ssh/id_dsa.pub

or

ssh-keygen -l -f ~/.ssh/id_rsa.pub

…depending, of course, on whether you use an RSA or DSA keypair.

You can then compare the output to the output that Github shows you in its verification screen.

Brian Armstrong March 07, 2012 13:48

Thanks this is exactly what I needed this morning!

Michael K Johnson March 07, 2012 13:51

Glad to have helped!

I was a little surprised that Github didn’t put those instructions in either the mail or the verify landing page, and didn’t make the fingerprint be a clickable link to the entire public key, to make it easier for their users to validate, but I’m sure they were in a hurry to deal with the fallout from the security breach.

Tanner Lovelace March 07, 2012 13:52

Google personal search FTW. Your post was the 2nd entry when I searched on how to do this for the very same reason you give.

And, both keys I have check out so everything is good there too.

Thanks much!

Jeffrey C. Witt March 07, 2012 13:55

Umm – this doesn’t seem to work when I’m on my Windows machine using PowerShell. Any ideas how I can get the fingerprint from PowerShell??

Michael K Johnson March 07, 2012 13:58

+Jeffrey C. Witt http://linux.die.net/man/1/puttygen – looks like puttygen instead of ssh-keygen should work, if you are using putty. PowerShell doesn’t have its own ssh implementation that I know of, and if you don’t have ssh-keygen, I’d guess that you are using putty for ssh. If not, then google for “<name of your ssh implementation> list ssh key fingerprint” and let folks know yet another way…

Imported from Google+ — content and formatting may not be reliable