SSH fingerprint verification for Amazon AWS EC2 server with ECDSA?
Here are two solutions that worked for me during the creation of the EC2 system.
Solution 1: Use the Amazon EC2 dashboard
- Go to https://console.aws.amazon.com
- Tap "EC2" link.
- Tap "Instances" in the left column
- Tap the instance name you want
- Tap the select button "Actions" and choose "Get System Log" (a.k.a. "Console Output")
- In the console output, you should see the keys being generated
Solution 2: Use the AWS EC2 command line
You can use the aws
command or ec2-get-console-output
command. Both are available for download from Amazon.
To use your EC2 private key pem file, certificate pem file, region, and instance:
ec2-get-console-output \
--private-key pk-ABCDEF1234567890.pem \
--cert cert-ABCDEF1234567890.pem \
--region us-east-1c \
i-e706689a
The output shows the ssh host key fingerprints like this:
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
ec2: 1024 e0:79:1e:ba:2e:3c:71:87:2c:f5:62:2b:0d:1b:6d:7b root@ip-10-243-118-182 (DSA)
ec2: 256 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07 root@ip-10-243-118-182 (ECDSA)
ec2: 2048 ce:ec:3b:d3:34:3f:f3:45:76:81:9e:76:7a:d9:f5:e8 root@ip-10-243-118-182 (RSA)
ec2: -----END SSH HOST KEY FINGERPRINTS-----
The aws
tool works similarly.
Note: these solutions only work during creation time, or when you can get the console logs. For a broader solution that works any time, see Martin's answer.
Amazon EC2 console now has a web-based terminal (which presumably guarantees secure connection). Go to Actions > Connect > EC2 Instance Connect > Connect on Instances page. In the terminal, use ssh-keygen
command to display a fingerprint of any number of host keys algorithms. The following example shows SHA-256 and MD5 fingerprints of Ed25519 hostkey:
sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key
sudo ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key -E md5
The previous answer, before the web-based terminal was introduced:
As @joelparkerhenderson's answer covers, you can collect host key fingerprint from server's initial start log, when host keys are generated (by the cloud-init
script):
If you fail to collect the keys this way, you can get them by connecting to your target instance from another trusted instance within private Amazon network, thus keeping yourself safe from man-in-the-middle attacks.
When on the trusted instance (the one you know fingerprints for) terminal, you can use following commands to collect fingerprints (172.33.31.199
is the private IP):
$ ssh-keyscan 172.33.31.199 > ec2key
$ ssh-keygen -l -f ec2key
256 SHA256:oZHeiMEPLKetRgd3M5Itgwaqr2zJJH93EvSdx5UoHbQ <ip> (ED25519)
2048 SHA256:8zg105EUFFrPFpVzdfTGsgXnxuSpTiQd85k0uNapUio <ip> (RSA)
256 SHA256:L7UXLw0djE5B9W7ZhvrkYVSTZyi1MEQ2dBaRtpkkUGY <ip> (ECDSA)
If you do not have another instance, whose fingerprints you know, create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Connect to the temporary instance from public network. Then collect keys of the target instance by connecting to it from the temporary instance, over private Amazon network. After that you can discard the temporary instance.
I have prepared Guide for connecting to EC2 instance safely using WinSCP.