ssh-keyscan

Fetch a server's SSH version banner and host public keys (Ed25519, ECDSA, RSA) with fingerprints. No authentication.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What does the SSH Host Key Scanner retrieve?

It connects to an SSH server (default port 22), reads the SSH version banner, and collects all offered host public keys: Ed25519, ECDSA (P-256/P-384/P-521), and RSA. For each key it shows the algorithm, key size, and SHA-256 fingerprint in the SHA256:xxxx format used by modern SSH clients. No authentication is required.

What is an SSH host key fingerprint used for?

Fingerprints let you verify you're connecting to the right server and detect man-in-the-middle attacks. When you first connect to a server, SSH shows the fingerprint and asks you to confirm it. You should verify this fingerprint matches what the server administrator published (or what this tool shows from a trusted network). Subsequent connections check the stored fingerprint against the key offered — a change triggers a 'host key changed' warning.

What is the difference between Ed25519, ECDSA, and RSA host keys?

Ed25519 is preferred — small key size, fast, based on modern elliptic curve cryptography with strong security properties. ECDSA is also elliptic curve-based but with older NIST curves. RSA is the legacy algorithm; RSA-2048 is still secure but larger and slower than Ed25519. Modern SSH servers offer all three for compatibility; clients prefer Ed25519 when available.

Why should I verify SSH host keys?

Without verification, an attacker who can intercept your connection (compromised router, DNS hijack) can present their own keys and act as a proxy — reading or modifying all traffic. This is the SSH equivalent of a TLS certificate mismatch. Always verify fingerprints out-of-band (from the server console, a trusted document, or this tool run from a trusted network) on first connection.