Public key for SSH over the internet differs from a key for SSH over the LAN

The weird thing is that I get a different key when accessing the Pi over the internet instead of via LAN:

Manual page for sshd describes format of your known_hosts file:

SSH_KNOWN_HOSTS FILE FORMAT

Each line in these files contains the following fields: markers (optional), hostnames, [...]. The fields are separated by spaces.

Se we got to the first answer. The first field is hostname, which is obviously different when you connect from outside or from inside, as proposed in your question.

Further we can read

Alternately, hostnames may be stored in a hashed form which hides host names and addresses should the file's contents be disclosed. Hashed hostnames start with a ‘|’ character. Only one hashed hostname may appear on a single line [...]

Yes, your hostnames/ip addresses are hashed.

But when I ssh into my Pi and execute the same command [...]

The new versions are using SHA-256 hashes instead of the obsolete MD5. You can force the new version to generate you the old fingerprint using:

ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub

Conversion between these two formats are possible, but not useful. Using ssh-keygen directly as I proposed above is advised solution.

You can generate fingerprint from public key stored in your known_hosts file somehow like this:

ssh-keygen -l -f <( ssh-keygen -H -F 192.168.1.92 | tail -n 1 | cut -d" " -f 2,3)

Public key for SSH over the internet differs from a key for SSH over the LAN

Tags:

Ssh

Key

Key Management

Public Key Infrastructure

Key Exchange

Related

Recent Posts