使用 ECDSA 对 Amazon AWS EC2 服务器进行 SSH 指纹验证? [英] SSH fingerprint verification for Amazon AWS EC2 server with ECDSA?
问题描述
当我创建一个新的 Amazon EC2 服务器时,我像往常一样使用 ssh 连接到它.
When I create a new Amazon EC2 server, I connect to it using ssh as usual.
我看到了典型的警告:
$ ssh myserver
The authenticity of host 'ec2-12-34-567-890.compute-1.amazonaws.com (12.34.567.890)' can't be established.
ECDSA key fingerprint is 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07.
Are you sure you want to continue connecting (yes/no)?
如何在登录前验证指纹?
How do I verify the fingerprint before I sign in?
理想情况下,答案基于原始创建控制台日志之外的其他内容——因为日志可能会在系统重新启动后或在生成大量输出的大型系统安装脚本期间被刷新,或者连接到具有在创建时未跟踪的密钥的旧系统.
Ideally an answer is based on something besides the original creation console log -- because the log may get flushed out after a system restart, or during a large system installation script that generates a lot of output, or the connection is to an older system with keys that weren't tracked at creation time.
推荐答案
正如@joelparkerhenderson 的回答所涵盖的那样,当生成主机密钥时,您可以从服务器的初始启动日志中收集主机密钥指纹(通过 cloud-init 脚本):
As @joelparkerhenderson's answer covers, you can collect host key fingerprint from server's initial start log, when host keys are generated (by the cloud-init script):
如果您无法通过这种方式收集密钥,您可以通过从私有 Amazon 网络中的另一个受信任实例连接到您的目标实例来获取它们,从而保护自己免受中间人攻击.
If you fail to collect the keys this way, you can get them by connecting to your target instance from another trusted instance within private Amazon network, thus keeping yourself safe from man-in-the-middle attacks.
在可信实例(你知道的指纹)终端上,可以使用以下命令采集指纹(172.33.31.199为私有IP):
When on the trusted instance (the one you know fingerprints for) terminal, you can use following commands to collect fingerprints (172.33.31.199 is the private IP):
$ ssh-keyscan 172.33.31.199 > ec2key
$ ssh-keygen -l -f ec2key
256 SHA256:oZHeiMEPLKetRgd3M5Itgwaqr2zJJH93EvSdx5UoHbQ <ip> (ED25519)
2048 SHA256:8zg105EUFFrPFpVzdfTGsgXnxuSpTiQd85k0uNapUio <ip> (RSA)
256 SHA256:L7UXLw0djE5B9W7ZhvrkYVSTZyi1MEQ2dBaRtpkkUGY <ip> (ECDSA)
<小时>
如果您没有其他实例,您知道其指纹,请创建新的临时实例,仅用于收集密钥.首先使用它的初始启动日志查找新临时实例的键.从公网连接到临时实例.然后通过私有 Amazon 网络从临时实例连接到目标实例来收集目标实例的密钥.之后,您可以丢弃临时实例.
If you do not have another instance, whose fingerprints you know, create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Connect to the temporary instance from public network. Then collect keys of the target instance by connecting to it from the temporary instance, over private Amazon network. After that you can discard the temporary instance.
我已经准备了使用 WinSCP 安全连接到 EC2 实例的指南.
这篇关于使用 ECDSA 对 Amazon AWS EC2 服务器进行 SSH 指纹验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
