SSH – Confirming SSH Fingerprint for New Amazon EC2 Instance Using PuTTY

amazon ec2puttysshssh-keys

When I create a new EC2 instance running Ubuntu 18.04, using a new EC2-generated keypair, I convert the resulting .pem to .ppk using puttygen, then try to connect to the instance using PuTTY, and I am shown the expected prompt to confirm the SSH fingerprint:

PuTTY fingerprint check prompt

PuTTY shows me a hex representation of an MD5 hash. This is the only fingerprint format PuTTY supports.

Outside PuTTY, the preferred fingerprint format these days is a SHA256 hash represented in Base64.

If I look in the EC2 system log of the freshly-created instance, sure enough I see the SSH fingerprints, SHA256 in Base64 representation:

EC2 system log on new instance

Looking at this answer, Amazon Linux used to (perhaps still does?) output a hash in hex, rather than Base64.

How can I verify that the Base64 SHA256 fingerprint shown in the EC2 system log, matches up with what PuTTY is connecting to? I would rather avoid installing EC2-specific tooling.

Incidentally, I had no trouble confirming the fingerprint when using OpenSSH from PowerShell. (I would consider using this rather than PuTTY, but it seems to lack mouse support.)

ssh command in PowerShell

Also, I found this answer informative, but it doesn't give me an answer.

(All details shown in screenshots reflect a short-lived instance. I have destroyed the keypair.)

Best Answer

Accept (at least temporarily) the host key, after noting the key type (algorithm) and optionally fingerprint, but do not yet enter any sensitive information like your password(s) or cat video(s). Do

ssh-keygen -l -f /etc/ssh/ssh_host_{type}_key.pub

This will show the 'modern' (sha256/base64) fingerprint for the key. Check it matches the value in the AWS console. You can add -v and instead check the 'ASCII art' drawing, which research reportedly says is easier to compare, although personally I haven't found it so. But then I was never good at those "what's wrong in this drawing" puzzles that used to be in the newspapers, when there used to be newspapers.

Optionally also do 

ssh-keygen -l -E md5 -f {same}

to confirm the 'ancient' (md5/hex) fingerprint matches the value shown by PuTTY, although there should be little doubt of that.

If this turns out to be the wrong host, disconnect and delete the wrongly-accepted key from the registry in HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys .

Related Topic