I installed openssh-server and created a key with ssh-keygen. I then attempted to test it using local port forwarding by doing ssh -L 8080:www.nytimes.com:80 127.0.0.1. However, the key fingerprint that this command provides is not the key fingerprint I get when I do ssh-keygen -l. Even if I delete my .ssh directory, I still get the same fingerprint, which is not the one I created with ssh-keygen. Is there another key on my system? Where is this key? How can I select this key for use by openssh-server?
By default, ssh-keygen will create a key for the current user, which, by default, will be stored in /.ssh. The format of a user key and a server key is the same; the difference is where they are placed and whether /etc/ssh/sshd_config has a HostKey directive pointing to them. When you install the openssh-server package, it automatically generates keys for the server to use. That is where the keys with the unknown fingerprint came from. If you want to see the fingerprint of the SSH server's (RSA*) key, you could run ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub.
ssh-keygen does not generate the SSH fingerprint at your server. That is generated by the SSH server. ssh-keygen creates a public/private key pair for your system that you can later use to access your SSH server without having to transmit a plain-text passcode to the server.
The ssh-keygen command used to generate what it calls an RSA key fingerprint. This fingerprint for this particular command seems to be 43 characters long. The output for the sha256sum command is always 64 characters long. So there are two things I have in mind here: