Hello guys,

I've been struggling with this matter for a few hours and I cannot see a way out.

The idea is to check the identity of a Cisco router through its RSA fingerprint during an SSH connection:

I've done the following steps:

1) Configuring the keys on the Cisco router

# Erasing existing non exportable RSA keys

crypto key zeroize rsa

# Generating exportable RSA keys

crypto key generate rsa exportable general-keys label <rsa-keys-label> modulus <key-length>

# Exporting RSA public and private keys into PEM format before fingerprinting it

crypto key export rsa <rsa-keys-label> pem terminal 3des <Passphrase-used-to-protect-the-private-key>

2) SSHing from a linux host to the router

$ ssh root@192.168.127.254

The authenticity of host '192.168.127.254 (192.168.127.254)' can't be established.

RSA key fingerprint is 90:b5:de:97:7a:1f:ca:23:ba:30:7a:0b:d0:47:2c:0e.

Are you sure you want to continue connecting (yes/no)?

3) Verifying the RSA key fingerprint of the router

# Using ssh-keygen on the linux host with the router public key

$ ssh-keygen -l -f ssh_router_rsa_key.pub

ssh_router_rsa_key.pub is not a public key file.

# Using Linux "Passwords and keys" GUI application with the router private key

cf. attachment.

As you can see, the fingerprint is completely different.

Any suggestion?