Calculate ssh public key fingerprint into base64, why do I have an extra '='?

Question

ssh-keygen -lf ssh_host_rsa_key.pub gives:

2048 SHA256:nVDFXqK06A4dwQYjBR3MHglFllTCjSHVNgYcCeRCNaQ root@tianhe-windy (RSA)

Then I try to calculate the sha256 fingerprint on my own.

cat ssh_host_rsa_key.pub gives:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/Ukz/o8b2L4fYyACOJOnFh8KOE/DypW9Dt3s8gZqKTb3W2BPmghLZyFeMQAjpVLJ/z414ydvb67AE9nyOQq1oMRbAyjbu97ocJ4UHXM6UO0wSRUF/fwtxfPju2p2hbVN7PqCV5+3cDUEIR1mVM8j6sdT7YbMTsZJab9gDlLD76ZKLCYLR1GSHNbxDp4DpMAkJsoS8F6ee+OwV6SiDvI3N6XDwrAASLNy09s2eid3H1YUSq276J5TLsZiKMPDgs7O3Tw2uMPkdzTdWSYJ/w0hyVO5YZW44JzSxg3PubV08eHPQWi17RwT7fa+QPvRw87YnACzFusZHOxQDxzQfCohH root@tianhe-windy

I copy the base64 encoded public key, from A to H, no whitespaces.

Then I do:

import hashlib
import base64

b64pubkey = 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC/Ukz/o8b2L4fYyACOJOnFh8KOE/DypW9Dt3s8gZqKTb3W2BPmghLZyFeMQAjpVLJ/z414ydvb67AE9nyOQq1oMRbAyjbu97ocJ4UHXM6UO0wSRUF/fwtxfPju2p2hbVN7PqCV5+3cDUEIR1mVM8j6sdT7YbMTsZJab9gDlLD76ZKLCYLR1GSHNbxDp4DpMAkJsoS8F6ee+OwV6SiDvI3N6XDwrAASLNy09s2eid3H1YUSq276J5TLsZiKMPDgs7O3Tw2uMPkdzTdWSYJ/w0hyVO5YZW44JzSxg3PubV08eHPQWi17RwT7fa+QPvRw87YnACzFusZHOxQDxzQfCohH'
sha256 = hashlib.sha256()
sha256.update(base64.b64decode(b64pubkey))
b64fingerprint = base64.b64encode(sha256.digest())
print(b64fingerprint)

and get

nVDFXqK06A4dwQYjBR3MHglFllTCjSHVNgYcCeRCNaQ=

compare to the one caculated by ssh-keygen:

nVDFXqK06A4dwQYjBR3MHglFllTCjSHVNgYcCeRCNaQ

I get an extra = too when calculating ssh_host_ecdsa_key.pub.

What did I do wrong?

Answer 1

There's nothing wrong, it's just that SSH by convention omits any trailing padding. You can remove any trailing = signs yourself as well; they do not encode any data.

The Python base64 routines implement the standard base64 algorithm which is specified to return an even multiple of four characters of encoded data. The origins are from the MIME standard for email, I believe.