ssh-keygen fingerprint format is different between RSA+ECDSA and ED25519

Question

I noticed that when showing the fingerprint of different key types, there is one difference in the format. for some reason ED25519 has the hash bits (I guess?) - 256, whereas the other key types have the key length in bits instead. As you can see in the examples I pasted below.

Any special reason? I couldn't find a specific reason documented, and since i'm implementing something with ssh key fingerprints and I wonder if I should follow ssh-keygen way which is strange.

 ssh-keygen -l -f test_key_ed25519
 256 SHA256:YxdmTBeIiFs0XqhabPHLf9qApHqrwJpT+f7N/KiNFcs <comment> (ED25519)
ssh-keygen -l -f test_key_rsa.pub

 2048 SHA256:IbwM2e+II6UGAalZAsyqqPHHIzj+rNUAsu/u7gL65ac Roy.BenYosef@NG-ROY-B (RSA)
ssh-keygen -t ecdsa -b 256 -f test_key_ecdsa
 ssh-keygen -l -f test_key_ecdsa.pub

 256 SHA256:psFwJHQSS5j3QhWzRac8INZGm9tcSymNj2dTSmG8Moc Roy.BenYosef@NG-ROY-B (ECDSA)
ssh-keygen -t ecdsa -b 384 -f test_key_ecdsa-384
 ssh-keygen -l -f test_key_ecdsa-384.pub 
 384 SHA256:pIWLmWuefaFMjeQAAU4DYW+e5sr/xdMvp7BpUr00Ngs Roy.BenYosef@NG-ROY-B (ECDSA)

Answer 1

ssh-keygen -l shows you more than just the fingerprint. The fingerprint is the second piece starting with SHA256:. It also shows you the key size in bits, which is the first part; the comment, which is the third part; and the key type, which is the final part.

Ed25519 keys are all 256 bits long, so this number of bits makes sense. Similarly, your ECDSA keys either use 256- or 384-bit curves and they are listed accordingly. In your case, you have a 2048-bit RSA key, and that number of bits is also printed.

In general, if you're just printing the fingerprint, you just need the second part. This is the right format for all modern SSH clients, and the only difference would be if you're using SSHFP records, where the hash is in hex instead. Some very old SSH clients use MD5 instead, but we no longer consider MD5 fit to be used for any purpose, so there's no reason to implement that.