Any time I stand up a VM in EC2 and you ssh into it for the first time, I always get this message:
The authenticity of host 'ec2-xxxxxx.compute-1.amazonaws.com (n.n.n.n)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
And like everybody else, I just say yes
Are you sure you want to continue connecting (yes/no)? yes
I understand what a fingerprint is, why it's good and all that. What I'm wondering is, years ago, since it was a physical machine I was setting up… I could check on the physical machine and validate yes, this is the fingerprint.
Is there some way in the EC2 console to independently verify "yes, this is the fingerprint"? If so, how do you find it?
Best Answer
You can verify the fingerprint using the AWS console for instances with cloud-init.
The following is on an instance running Amazon Linux.
There is a init.d script called cloud-init:
Once you launch an instance, you can view the system log output via the AWS console without using SSH. (Which avoids your catch-22 - you can see the fingerprint before you access the instance).
You can do this by
going to your EC2 Management Console page,
clicking the "Instances" link on the sidebar,
selecting the instance you want to log into, and
navigating to Actions > Instance Settings > Get System Log.
If you scroll through that output, you will see something like the following:
Above each "randomart" image is the type of signature, such as RSA or DSA. Find the kind you are given (RSA in your case), and check the fingerprint above it.
If you wish to verify that the same key is the one on the instance (as a proof of concept, after you have SSH'd in), you can run:
Alternate Approach:
In order to avoid the problem, you can use your own keys - since you generated the key, you know the fingerprint. The issue then becomes one of getting your new key onto the instance without using SSH.
Most instances use cloud-init and will support user-data. This applies to any such instance. Since you need to stop an instance in order to modify user-data, this approach requires that you either are a: launching an instance for the first time (and are setting yourself up to use known keys) or b: can stop the instance, modify the user-data, and restart the instance.
If you are launching a new instance, you just need to specify the keys you want to use, if you are restarting an instance that is already running, you need to have cloud-init reconfigure SSH to pull in the new keys. By default, the SSH config module of cloud-init is run once per instance, so you need to set it to run always (each boot) (This might not be ideal in some circumstances, but can be modified after you know the key, if required)
The user-data would take the following form:
For example:Note that the fingerprint shown here matches the one displayed when the key was generated.
If you are stopping the instance and have access to another instance, you can also mount the root volume and modify the keys directly without using user-data (the keys will not be overwritten since cloud-init only runs SSH config once per instance by default). An alternate approach, if you are planning ahead, is to setup cloud-init (or an init script) to log the SSH keys each boot, which increases the probability you will find them in the console log after a restart.