diff --git a/cmdgen.c b/cmdgen.c
index e1ff0ec8..4d6d9e4e 100644
--- a/cmdgen.c
+++ b/cmdgen.c
@@ -1214,19 +1214,21 @@ void filecmp(char *file1, char *file2, char *fmt, ...)
 
 char *cleanup_fp(char *s)
 {
-    char *p;
+    ptrlen pl = ptrlen_from_asciz(s);
+    static const char separators[] = " \n\t";
 
-    if (!strncmp(s, "ssh-", 4)) {
-	s += strcspn(s, " \n\t");
-	s += strspn(s, " \n\t");
-    }
+    /* Skip initial key type word if we find one */
+    if (ptrlen_startswith(pl, PTRLEN_LITERAL("ssh-"), NULL))
+        ptrlen_get_word(&pl, separators);
 
-    p = s;
-    s += strcspn(s, " \n\t");
-    s += strspn(s, " \n\t");
-    s += strcspn(s, " \n\t");
+    /* Expect two words giving the key length and the hash */
+    ptrlen bits = ptrlen_get_word(&pl, separators);
+    ptrlen hash = ptrlen_get_word(&pl, separators);
 
-    return dupprintf("%.*s", (int)(s - p), p);
+    /* Strip "MD5:" prefix if it's present, and do nothing if it isn't */
+    ptrlen_startswith(hash, PTRLEN_LITERAL("MD5:"), &hash);
+
+    return dupprintf("%.*s %.*s", PTRLEN_PRINTF(bits), PTRLEN_PRINTF(hash));
 }
 
 char *get_fp(char *filename)
@@ -1316,7 +1318,7 @@ int main(int argc, char **argv)
 	{
 	    char *cmdbuf;
 	    fp = NULL;
-	    cmdbuf = dupprintf("ssh-keygen -l -f '%s' > '%s'",
+	    cmdbuf = dupprintf("ssh-keygen -E md5 -l -f '%s' > '%s'",
 		    pubfilename, tmpfilename1);
 	    if (system(cmdbuf) ||
 		(fp = get_fp(tmpfilename1)) == NULL) {