SSH fingerprint verification for Amazon AWS EC2 server with ECDSA?

Question

When I create a new Amazon EC2 server, I connect to it using ssh as usual.

I see the typical warning:

$ ssh myserver  
The authenticity          


        

Answer 1

As @joelparkerhenderson's answer covers, you can collect host key fingerprint from server's initial start log, when host keys are generated (by the cloud-init script):

---

If you fail to collect the keys this way, you can get them by connecting to your target instance from another trusted instance within private Amazon network, thus keeping yourself safe from man-in-the-middle attacks.

When on the trusted instance (the one you know fingerprints for) terminal, you can use following commands to collect fingerprints (172.33.31.199 is the private IP):

$ ssh-keyscan 172.33.31.199 > ec2key
$ ssh-keygen -l -f ec2key
256 SHA256:oZHeiMEPLKetRgd3M5Itgwaqr2zJJH93EvSdx5UoHbQ  (ED25519)
2048 SHA256:8zg105EUFFrPFpVzdfTGsgXnxuSpTiQd85k0uNapUio  (RSA)
256 SHA256:L7UXLw0djE5B9W7ZhvrkYVSTZyi1MEQ2dBaRtpkkUGY  (ECDSA)

---

If you do not have another instance, whose fingerprints you know, create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Connect to the temporary instance from public network. Then collect keys of the target instance by connecting to it from the temporary instance, over private Amazon network. After that you can discard the temporary instance.

---

I have prepared Guide for connecting to EC2 instance safely using WinSCP.