1

Normally, when using ssh to connect to a host for the first time, you get a message like:

The authenticity of host 'nova.example.com (192.168.0.63)` can't be established.
ECDSA key fingerprint is XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX.

One can then check the key fingerprint against the known fingerprint for the host to make sure you're actually connecting to the host you think you are.

I am now trying to ssh into a new Amazon EC2 instance, and I cannot find the ECDSA key fingerprint that ssh is reporting anywhere in the management console.

The one fingerprint I can find is under "NETWORK & SECURITY » Key Pairs", but it does not match what ssh is reporting. As far as I can tell, this is actually a fingerprint of the private key that AWS generated for me, not the host key.

Perhaps I could just say "yes" and the run "ssh-keygen -lf" on the EC2 instance, but I'm not confident that that actually protects against man in the middle attacks. (In fact, this page on checking ssh public key fingerprints suggests exactly that possibility.)

How does one correctly verify the ECDSA key fingerprint returned by ssh when connecting to an EC2 instance?

Laurence Gonsalves
  • 137,896
  • 35
  • 246
  • 299
  • 2
    You can find the ECDSA key in the instance's log ("Get System Log" for an instance in the console). In more detail... http://stackoverflow.com/a/24773982/1428388 – jzonthemtn Oct 04 '16 at 23:41
  • @jbird Thank you! I don't know how I didn't find that question/answer earlier. – Laurence Gonsalves Oct 04 '16 at 23:54
  • 2
    Possible duplicate of [SSH fingerprint verification for Amazon AWS EC2 server with ECDSA?](http://stackoverflow.com/questions/13791219/ssh-fingerprint-verification-for-amazon-aws-ec2-server-with-ecdsa) – Laurence Gonsalves Oct 04 '16 at 23:55

0 Answers0