ssh-keygen -l: Show a Key Fingerprint
ssh-keygen -l prints the fingerprint and size of a key so you can verify which key a file holds.
When a deploy fails on the wrong key, the fingerprint tells you which key is which. It also lets you confirm a host key matches what the provider published.
What it does
ssh-keygen -l reads a key file and prints its bit length, fingerprint, comment, and type. -f names the file; -E selects the hash (sha256 by default, md5 for legacy colon-hex fingerprints). It works on private keys, public keys, and known_hosts entries.
Common usage
ssh-keygen -l -f ./deploy_key.pub
ssh-keygen -lf ./deploy_key # works on the private key too
# legacy MD5 colon-hex format
ssh-keygen -l -E md5 -f ./deploy_key.pubOptions
| Flag | What it does |
|---|---|
| -l | Show the fingerprint of the key |
| -f <file> | Key or known_hosts file to read |
| -E sha256|md5 | Fingerprint hash format |
| -v | Also print an ASCII-art randomart image |
In CI
Compare the fingerprint of the key you loaded against the one registered on the server or in GitHub to catch a wrong or corrupted secret early. To check a host's key matches the provider's published value, run ssh-keygen -lf on the known_hosts entry you scanned.
Common errors in CI
"is not a public key file" means you pointed -f at the wrong file or a corrupted key. A fingerprint that differs from the expected one means the CI secret holds a different or truncated key. SHA256 and MD5 fingerprints look completely different; compare the same -E format on both sides.