SSH fingerprint verification for Amazon AWS EC2 server with ECDSA?

Question

When I create a new Amazon EC2 server, I connect to it using ssh as usual.

I see the typical warning:

$ ssh myserver  
The authenticity          


        

Answer 1

Here are two solutions that worked for me during the creation of the EC2 system.

Solution 1: Use the Amazon EC2 dashboard

• Go to https://console.aws.amazon.com
• Tap "EC2" link.
• Tap "Instances" in the left column
• Tap the instance name you want
• Tap the select button "Actions" and choose "Get System Log" (a.k.a. "Console Output")
• In the console output, you should see the keys being generated

Solution 2: Use the AWS EC2 command line

You can use the aws command or ec2-get-console-output command. Both are available for download from Amazon.

To use your EC2 private key pem file, certificate pem file, region, and instance:

ec2-get-console-output \
  --private-key pk-ABCDEF1234567890.pem \
  --cert cert-ABCDEF1234567890.pem \
  --region us-east-1c \
  i-e706689a   

The output shows the ssh host key fingerprints like this:

ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
ec2: 1024 e0:79:1e:ba:2e:3c:71:87:2c:f5:62:2b:0d:1b:6d:7b  root@ip-10-243-118-182 (DSA)
ec2: 256 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07  root@ip-10-243-118-182 (ECDSA)
ec2: 2048 ce:ec:3b:d3:34:3f:f3:45:76:81:9e:76:7a:d9:f5:e8  root@ip-10-243-118-182 (RSA)
ec2: -----END SSH HOST KEY FINGERPRINTS-----

The aws tool works similarly.

Note: these solutions only work during creation time, or when you can get the console logs. For a broader solution that works any time, see Martin's answer.