SSH fingerprint verification for Amazon AWS EC2 server with ECDSA?

Question

When I create a new Amazon EC2 server, I connect to it using ssh as usual.

I see the typical warning:

$ ssh myserver  
The authenticity          


        

Answer 1

Here are two solutions that worked for me during the creation of the EC2 system.

Solution 1: Use the Amazon EC2 dashboard

• Go to https://console.aws.amazon.com
• Tap "EC2" link.
• Tap "Instances" in the left column
• Tap the instance name you want
• Tap the select button "Actions" and choose "Get System Log" (a.k.a. "Console Output")
• In the console output, you should see the keys being generated

Solution 2: Use the AWS EC2 command line

You can use the aws command or ec2-get-console-output command. Both are available for download from Amazon.

To use your EC2 private key pem file, certificate pem file, region, and instance:

ec2-get-console-output \
  --private-key pk-ABCDEF1234567890.pem \
  --cert cert-ABCDEF1234567890.pem \
  --region us-east-1c \
  i-e706689a   

The output shows the ssh host key fingerprints like this:

ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
ec2: 1024 e0:79:1e:ba:2e:3c:71:87:2c:f5:62:2b:0d:1b:6d:7b  root@ip-10-243-118-182 (DSA)
ec2: 256 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07  root@ip-10-243-118-182 (ECDSA)
ec2: 2048 ce:ec:3b:d3:34:3f:f3:45:76:81:9e:76:7a:d9:f5:e8  root@ip-10-243-118-182 (RSA)
ec2: -----END SSH HOST KEY FINGERPRINTS-----

The aws tool works similarly.

Note: these solutions only work during creation time, or when you can get the console logs. For a broader solution that works any time, see Martin's answer.

Answer 2

As @joelparkerhenderson's answer covers, you can collect host key fingerprint from server's initial start log, when host keys are generated (by the cloud-init script):

---

If you fail to collect the keys this way, you can get them by connecting to your target instance from another trusted instance within private Amazon network, thus keeping yourself safe from man-in-the-middle attacks.

When on the trusted instance (the one you know fingerprints for) terminal, you can use following commands to collect fingerprints (172.33.31.199 is the private IP):

$ ssh-keyscan 172.33.31.199 > ec2key
$ ssh-keygen -l -f ec2key
256 SHA256:oZHeiMEPLKetRgd3M5Itgwaqr2zJJH93EvSdx5UoHbQ <ip> (ED25519)
2048 SHA256:8zg105EUFFrPFpVzdfTGsgXnxuSpTiQd85k0uNapUio <ip> (RSA)
256 SHA256:L7UXLw0djE5B9W7ZhvrkYVSTZyi1MEQ2dBaRtpkkUGY <ip> (ECDSA)

---

If you do not have another instance, whose fingerprints you know, create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Connect to the temporary instance from public network. Then collect keys of the target instance by connecting to it from the temporary instance, over private Amazon network. After that you can discard the temporary instance.

---

I have prepared Guide for connecting to EC2 instance safely using WinSCP.