2

I'm trying to set up a new Amazon EC2 instance with my own public key so I can connect via ssh. I have generated an RSA key pair using ssh-keygen as described in the aws docs, and uploaded the public key to Amazon using the web interface. The key shows up normally in my AWS dashboard. Let's say my public key fingerprint is aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa.

I can create a new instance and specify this public key using the web interface (and yes, I specify this before spinning up the machine - it's the last step before launch). The instance appears to be created and start normally. My public key is listed under the 'Key pair name' property for that instance. I'm using an Ubuntu 12.04 LTS OS, 64 bit image: ubuntu-precise-12.04-amd64-server-20131003.

However, when I attempt to connect via ssh, I do not see the fingerprint for my key:

>The authenticity of host 'ec2-00-00-00-00.us-west-2.compute.amazonaws.com (00.00.00.00)' can't be established.
>RSA key fingerprint is bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb.
>Are you sure you want to continue connecting (yes/no)? no

(I use the actual IP address when connecting)

I can run 'ec2-get-console-output' using the ec2 command line tools, as suggested by this answer. However, my public key does not appear anywhere in the console output. There are two other keys present:

>Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
>The key fingerprint is:
>bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb:bb root@ip-00-00-00-00
>...
>-----BEGIN SSH HOST KEY FINGERPRINTS-----
>ec2: 1024 cc:cc:cc:cc:cc:cc:cc:cc:cc:cc:cc:cc:cc:cc:cc:cc root@ip-00-00-00-00 (DSA)

If my key is being deployed onto the instance, why doesn't it show up?

Community
  • 1
  • 1
culix
  • 10,188
  • 6
  • 36
  • 52
  • What image you are using? what you describe sounds like a bug, your key should be the only one in `ssh_host_rsa_key` – Noam Rathaus Dec 17 '13 at 06:30
  • can you log in to this instance using the "connect" button in the AWS console, which uses a java applet – Brij Raj Singh - MSFT Dec 17 '13 at 11:35
  • Have you tried answering "yes" instead of "no?" The value shown at bb:bb... isn't about your key, it's about the identity of the host itself. – Michael - sqlbot Dec 17 '13 at 12:46
  • @nrathaus This is an Ubuntu 12.04 LTS OS, 64 bit build. ubuntu-precise-12.04-amd64-server-20131003 . I will edit the question to include this. – culix Dec 17 '13 at 14:59
  • @BrijRajSingh Thanks I had never seen the Java option before. While I'm suspicious and hesitant about running any Java code... I did try this ;) Unfortunately the Java console app shows the same server key when it tries to connect. At least that's consistent. – culix Dec 17 '13 at 15:24
  • @Michael-sqlbot I realize the key being displayed is the server's fingerprint. However, I *really* do *not* want to answer 'yes' and connect because I'm worried about Man In The Middle attacks. I don't want anyone else getting my private key or compromising the machine! I'm only willing to answer 'yes' if the fingerprint that shows up matches the expected one that I placed there myself. – culix Dec 17 '13 at 15:27
  • The "yes" just means you trust the remote host, not that you are giving them your private key – Noam Rathaus Dec 17 '13 at 18:26

1 Answers1

6

The fingerprint you are seeing is of the host id, NOT your rsa/dsa key id. Therefore there shouldn't be a match.

The public key that you upload is the key that the server uses to identify you. It has nothing to do with the server identity. If you wish to verify the server if you can use the ec2-get-console-output command, as you mention.

For more detail on ssh keypairs see this answer on Ask Ubuntu.

Community
  • 1
  • 1
Noam Rathaus
  • 5,405
  • 2
  • 28
  • 37
  • Gah. Thanks, you are right. I don't know why I spaced on this. – culix Dec 20 '13 at 06:26
  • I edited my question to remove details we don't need and added some links to your answer. It's embarrassing to leave this up but hopefully it will help someone else and they won't waste time like I did. Thanks again! – culix Dec 20 '13 at 06:45