AWS – How to Verify Private Key Matches Keypair

amazon-web-servicesssh-keygen

My AWS instance says it is configured to use the only keypair I have on my account and it has a fingerprint in the format of:

3c:64:a7:85:53:3f:81:1c:24:5a:d2:6a:5b:76:47:da:f3:14:63:88

I have a key.pem file on my computer. How do I verify that this pem file matches up with the above key-pair fingerprint provided by AWS?

I have attempted the following:
ssh-keygen -lf key.pem

That outputs something in this format:
2048 SHA256:TpL6i8y1uCd26IUVVc5UHFluP7GLKD/T3O1+K4Pc0qg no comment (RSA)

The encoding scheme is different, I am not able to tell if they are equivalent.

I am trying to debug why I am unable to ssh into my instance with this key, this is the first step I am trying.

Best Answer

There are two methods, depending on how you created your SSH key as described in Verifying Your Key Pair's Fingerprint in AWS docs.

Here is my SSH key fingerprint in the console:

And here is how to get the same fingerprint from the command line:

~ $ openssl rsa -in ~/.ssh/aws-sandpit.pem -pubout -outform DER | openssl md5 -c
writing RSA key
(stdin)= ae:ae:56:84:f9:72:c4:d1:0a:b8:e9:3b:ab:d4:a7:00

If that doesn't match try this:

~ $ openssl pkcs8 -in path_to_private_key -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c

Hope that helps :)

Related Solutions

SSH – How to Change Private Key Passphrase

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]

AWS EC2 – Deleting a Key Pair for AWS EC2 Instance with EBS

EC2 key pairs, which appear on AWS console panel, are only used to initialize EC2 instances, granting you initial access to them with the provided key pair. Thus, deleting them on AWS console panel won't make a difference on existing instances. See AWS Doc.

To prevent the use of the old private key, you need to to edit the .ssh/authorized_keys file on your remote EC2 instance, removing the corresponding entry, which is the public key of your EC2 key pair.

Remember to add your new public key to authrozied_keys file, and test it before removing the old one, or you may be locked out of your EC2 instance.

To issue a new key pair, use ssh-keygen command on your local Linux machine, it's an interactive program when calling without arguments.

And use ssh-copy-id to automatically apply your new key to your instance.

Best Answer

Related Solutions

SSH – How to Change Private Key Passphrase

AWS EC2 – Deleting a Key Pair for AWS EC2 Instance with EBS

Related Topic