diff --git a/options-table.c b/options-table.c
index 6b0c248b..90d3297b 100644
--- a/options-table.c
+++ b/options-table.c
@@ -925,13 +925,13 @@ const struct options_table_entry options_table[] = {
 	{ .name = "tmate-server-rsa-fingerprint",
 	  .type = OPTIONS_TABLE_STRING,
 	  .scope = OPTIONS_TABLE_SERVER,
-	  .default_str = "af:2d:81:c1:fe:49:70:2d:7f:09:a9:d7:4b:32:e3:be"
+	  .default_str = "SHA256:Hthk2T/M/Ivqfk1YYUn5ijC2Att3+UPzD7Rn72P5VWs"
 	},
 
 	{ .name = "tmate-server-ecdsa-fingerprint",
 	  .type = OPTIONS_TABLE_STRING,
 	  .scope = OPTIONS_TABLE_SERVER,
-	  .default_str = "c7:a1:51:36:d2:bb:35:4b:0a:1a:c0:43:97:74:ea:42"
+	  .default_str = "SHA256:8GmKHYHEJ6n0TEdciHeEGkKOigQfCFuBULdt6vZIhDc"
 	},
 
 	{ .name = "tmate-display-time",
diff --git a/tmate-ssh-client.c b/tmate-ssh-client.c
index f13db90a..fbe9a470 100644
--- a/tmate-ssh-client.c
+++ b/tmate-ssh-client.c
@@ -287,12 +287,14 @@ static void on_ssh_client_event(struct tmate_ssh_client *client)
 		if (ssh_get_publickey(session, &pubkey) < 0)
 			tmate_fatal("ssh_get_publickey");
 
-		if (ssh_get_publickey_hash(pubkey, SSH_PUBLICKEY_HASH_MD5, &hash, &hash_len) < 0) {
+		if (ssh_get_publickey_hash(pubkey, SSH_PUBLICKEY_HASH_SHA256,
+					   &hash, &hash_len) < 0) {
 			kill_ssh_client(client, "Cannot authenticate server");
 			return;
 		}
 
-		hash_str = ssh_get_hexa(hash, hash_len);
+		hash_str = ssh_get_fingerprint_hash(SSH_PUBLICKEY_HASH_SHA256,
+						    hash, hash_len);
 		if (!hash_str)
 			tmate_fatal("malloc failed");