Ssh – How to add a .pem private key fingerprint entry to known_hosts before connecting with ssh

sshssh-keys

WARNING -> Please be careful when reading this problem description. I had some assumptions that were not correct as I was writing this question. Make sure you read my answer explaining what I had wrong!

I have host A in AWS as an EC2 instance.

I a private key embedded in a .PEM file that I can use to host A with SSH key Z. This works if I pass it to the ssh command using the -l argument, AND if I turn off strict host checking with -o StrictHostKeyChecking=no.

I would strongly prefer to leave strict host checking on even though I "know" this is the correct host because I'm interacting with the AWS interface, getting the ip/dns from them, and I'm inside of my own little VPC world.

It seems like the only way to provide the fingerprint -> host mapping is by providing it in a known_hosts file.

Is that correct?

If that is correct, how can I take the private key embedded in the .PEM file that I have from AWS and build the correct entry for the single fingerprint -> host mapping for a temporary known_hosts file that I can read when I'm logging into the EC2 instance?

WHAT I DO NOT WANT TO DO

Use ssh-keyscan. All this does is blindly accept the fingerprint of the remote client without validating that it matches with the key. I think?
Turn off StrictHostKeyChecking. I want to establish good practices early, and I need to know how to do this now, because I'm going to need to know how to do this in general. (By this I mean how to use SSH fingerprints to validate the identity of the host I'm connecting to, based on the key that I have.)
Mess around with ssh-add. I want to write this to a file that's easy to lockdown access to, not put it into a running process.

EDITS:
Strangely when I try to extract the fingerprint from the pem file it doesn't match the fingerprint I see when I connect and it prompts me.

FINGERPRINT EXTRACTION FROM PEM

bash-4.2$ ssh-keygen -l -E md5 -f ./blah.PEM
2048 MD5:be:b1:d7:e1:f0:0f:ce:41:60:fa:97:dc:b8:2c:ed:08 no comment (RSA)
bash-4.2$ ssh-keygen -l -E sha1 -f ./blah.PEM
2048 SHA1:g2PDmIcw19Z/v7HTco6xRWxQ88c no comment (RSA)

FINGERPRINT DISPLAY DURING SSH PROMPT

bash-4.2$ ssh -i ./blah.PEM ubuntu@ip-172-31-6-91.us-east-2.compute.internal
The authenticity of host 'ip-172-31-6-91.us-east-2.compute.internal (172.31.6.91)' can't be established.
ECDSA key fingerprint is SHA256:ibwhkrF5oMapJla4cKuXgePT5lHmg08L7yMp6auCpgo.
ECDSA key fingerprint is MD5:ba:82:53:ee:89:22:26:63:26:11:21:93:63:1f:1d:d1.

How could the fingerprints be different, but the key still allows me to connect?

Best Answer

You have 2 key pairs at play there:

Server's Private/Public key.

ssh daemon on the server has a set of private keys created and stored in the /etc/ssh/ folder

The RSA fingerprint you are getting from the server comes from the public key corresponding to the /etc/ssh/ssh_host_rsa_key private key

User's Private/Public key.

This is a keypair you own. The private key should be securely stored on your computer and used to authenticate to the server. The public key is on the server, in your profile's authorized_keys file: ~/.ssh/authorized_keys

So there are 2 different public keys, and their fingerprints will not match, unless you use the same private key as one on the server, which is unlikely.

To get rid of warning do exactly as it has been asking: put fingerprint of the server into the /var/lib/jenkins/.ssh/known_hosts file.

Related Solutions

Ssh – How to remove strict RSA key checking in SSH and what’s the problem here

Please don't delete the entire known_hosts file as recommended by some people, this totally voids the point of the warning. It's a security feature to warn you that a man in the middle attack may have happened.

I suggest you identify why it thinks something has changed, most likely an SSH upgrade altered the encryption keys due to a possible security hole. You can then purge that specific line from your known_hosts file:

sed -i 377d ~/.ssh/known_hosts

This deletes line 377 as shown after the colon in the warning:

/home/emerson/.ssh/known_hosts:377

Alternatively you can remove the relevant key by doing the following

ssh-keygen -R 127.0.0.1 (obviously replace with the server's IP)

Please DO NOT purge the entire file and ensure this is actually the machine you want to be connecting to prior to purging the specific key.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

WHAT I DO NOT WANT TO DO

Best Answer

Related Solutions

Ssh – How to remove strict RSA key checking in SSH and what’s the problem here

Ssh – How to automate SSH login with password

Related Topic