When I create a new Amazon EC2 server, I connect to it using ssh
as usual.
I see the typical warning:
$ ssh myserver The authenticity of host 'ec2-12-34-567-890.compute-1.amazonaws.com (12.34.567.890)' can't be established. ECDSA key fingerprint is 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07. Are you sure you want to continue connecting (yes/no)?
How do I verify the fingerprint before I sign in?
Ideally an answer is based on something besides the original creation console log -- because the log may get flushed out after a system restart, or during a large system installation script that generates a lot of output, or the connection is to an older system with keys that weren't tracked at creation time.
ECDSA key fingerprint is SHA256:wcq2B0YttUcSQOJZVOS6u72qdgBztv7AbvkCgGyApFg.
In addition to RSA based keys, EC2 customers can now use ED25519 key pairs, an elliptic curve based public-key system commonly used for SSH authentication, to authenticate with EC2 Instance Connect.
There are 2 main reasons the "Permission denied (publickey)" error occurs when trying to SSH into an AWS EC2 instance: The username in the ssh connection URL is incorrect. The username is different for the different Amazon Machine Images. The permissions of the private key are incorrect.
As @joelparkerhenderson's answer covers, you can collect host key fingerprint from server's initial start log, when host keys are generated (by the cloud-init
script):
If you fail to collect the keys this way, you can get them by connecting to your target instance from another trusted instance within private Amazon network, thus keeping yourself safe from man-in-the-middle attacks.
When on the trusted instance (the one you know fingerprints for) terminal, you can use following commands to collect fingerprints (172.33.31.199
is the private IP):
$ ssh-keyscan 172.33.31.199 > ec2key $ ssh-keygen -l -f ec2key 256 SHA256:oZHeiMEPLKetRgd3M5Itgwaqr2zJJH93EvSdx5UoHbQ <ip> (ED25519) 2048 SHA256:8zg105EUFFrPFpVzdfTGsgXnxuSpTiQd85k0uNapUio <ip> (RSA) 256 SHA256:L7UXLw0djE5B9W7ZhvrkYVSTZyi1MEQ2dBaRtpkkUGY <ip> (ECDSA)
If you do not have another instance, whose fingerprints you know, create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Connect to the temporary instance from public network. Then collect keys of the target instance by connecting to it from the temporary instance, over private Amazon network. After that you can discard the temporary instance.
I have prepared Guide for connecting to EC2 instance safely using WinSCP.
Here are two solutions that worked for me during the creation of the EC2 system.
Solution 1: Use the Amazon EC2 dashboard
Solution 2: Use the AWS EC2 command line
You can use the aws
command or ec2-get-console-output
command. Both are available for download from Amazon.
To use your EC2 private key pem file, certificate pem file, region, and instance:
ec2-get-console-output \ --private-key pk-ABCDEF1234567890.pem \ --cert cert-ABCDEF1234567890.pem \ --region us-east-1c \ i-e706689a
The output shows the ssh host key fingerprints like this:
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS----- ec2: 1024 e0:79:1e:ba:2e:3c:71:87:2c:f5:62:2b:0d:1b:6d:7b root@ip-10-243-118-182 (DSA) ec2: 256 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07 root@ip-10-243-118-182 (ECDSA) ec2: 2048 ce:ec:3b:d3:34:3f:f3:45:76:81:9e:76:7a:d9:f5:e8 root@ip-10-243-118-182 (RSA) ec2: -----END SSH HOST KEY FINGERPRINTS-----
The aws
tool works similarly.
Note: these solutions only work during creation time, or when you can get the console logs. For a broader solution that works any time, see Martin's answer.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With