The default behaviour of ssh in debian testing has changed a bit: now it uses ECDSA and shows SHA256 fingerprints by default instead of using RSA and showing MD5 fingerprints.

Of course, most listings of host fingerprints still only show MD5 fingerprints for an RSA key.

This is a way to ask a server for its keys and print their fingerprints, allowing some crosscheck.

$ ssh-keyscan -t rsa,ecdsa $SERVER > keys.pub && ssh-keygen -lf keys.pub -E md5
$ # check the results against the published listing
$ ssh-keygen -lf keys.pub

I can think of an attack on this: somebody could intercept the communication, send you the right RSA pubkey and their own ECDSA, and then redirect the communication toward their own host.

Relevant links:

permalink.gmane.org/gmane.linu…
bridge.grumpy-troll.org/2011/0…
enricozini.org/2008/tips/ssh-h…

(Post title courtesy of @Enrico Zini )