SSH fingerprint verification for Amazon AWS EC2 server with ECDSA?
When I create a new Amazon EC2 server, I connect to it using ssh as usual.
I see the typical warning:
$ ssh myserver
The authenticity of host 'ec2-12-34-567-890.compute-1.amazonaws.com (12.34.567.890)' can't be established.
ECDSA key fingerprint is 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07.
Are you sure you want to continue connecting (yes/no)?
How do I verify the fingerprint before I sign in?
Ideally an answer is based on something besides the original creation console log -- because the log may get flushed out after a system restart, or during a large system installation script that generates a lot of output, or the connection is to an older system with keys that weren't tracked at creation time.
Amazon EC2 console now has a web-based terminal (which presumably guarantees secure connection). Go to Actions > Connect > EC2 Instance Connect > Connect on Instances page. In the terminal, use ssh-keygen command to display a fingerprint of any number of host keys algorithms. The following example shows SHA-256 and MD5 fingerprints of Ed25519 hostkey:
sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key
sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key -E md5
The previous answer, before the web-based terminal was introduced:
As @joelparkerhenderson's answer covers, you can collect host key fingerprint from server's initial start log, when host keys are generated (by the cloud-init script):
If you fail to collect the keys this way, you can get them by connecting to your target instance from another trusted instance within private Amazon network, thus keeping yourself safe from man-in-the-middle attacks.
When on the trusted instance (the one you know fingerprints for) terminal, you can use following commands to collect fingerprints (172.33.31.199 is the private IP):
$ ssh-keyscan 172.33.31.199 > ec2key
$ ssh-keygen -l -f ec2key
256 SHA256:oZHeiMEPLKetRgd3M5Itgwaqr2zJJH93EvSdx5UoHbQ <ip> (ED25519)
2048 SHA256:8zg105EUFFrPFpVzdfTGsgXnxuSpTiQd85k0uNapUio <ip> (RSA)
256 SHA256:L7UXLw0djE5B9W7ZhvrkYVSTZyi1MEQ2dBaRtpkkUGY <ip> (ECDSA)
If you do not have another instance, whose fingerprints you know, create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Connect to the temporary instance from public network. Then collect keys of the target instance by connecting to it from the temporary instance, over private Amazon network. After that you can discard the temporary instance.
I have prepared Guide for connecting to EC2 instance safely using WinSCP.
- Math.Sin() gives incorrect value
- How to run my python script when the sunOS is start booting
- Express-session: not resetting cookie expiration on each request
- Getting a stack overflow exception when normalizing a vector
- Edit default summary function in R gives error for multiple variables
- What was a For loop? Why isn't it needed in R?
- How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
- Why are there two assignment operators, `<-` and `->` in R?
- lm()$assign: what is it?
- How to get the value of list(...) in R and S functions
- Design matrix for MLM from library(lme4) with fixed and random effects
- how to generate elements not included in my sample
- Create a matrix with gradually changing values without a for loop
- Emacs ESS and S-plus ( S+ ) 8.1 compatability
- How to lag date-index in a time-series in R?
- Nonlinear regression in R / S
- Calling R from S-Plus?