SSH指纹验证亚马逊AWS EC2服务器ECDSA？ [英] SSH fingerprint verification for Amazon AWS EC2 server with ECDSA?

问题描述

当我创建一个新的Amazon EC2服务器，我使用连接到它 SSH 和往常一样。

When I create a new Amazon EC2 server, I connect to it using ssh as usual.

我看到了典型的警告：

$ ssh myserver  
The authenticity of host 'ec2-12-34-567-890.compute-1.amazonaws.com (12.34.567.890)'     can't be established.
ECDSA key fingerprint is 31:66:15:d2:19:41:2b:09:8a:8f:9f:bd:de:c6:ff:07.
Are you sure you want to continue connecting (yes/no)? 

我如何验证之前，我登录指纹？

How do I verify the fingerprint before I sign in?

在理想情况下的答案是基于除了独创控制台日志的东西 - 因为日志可能会刷新出一个系统重新启动后，或在产生大量输出的一个大系统的安装脚本，或者连接到旧系统的钥匙是没有跟踪在创建时。

Ideally an answer is based on something besides the original creation console log -- because the log may get flushed out after a system restart, or during a large system installation script that generates a lot of output, or the connection is to an older system with keys that weren't tracked at creation time.

推荐答案

作为@ joelparkerhenderson的回答涵盖了，你可以用云收集主机从服务器的初始启动日志密钥指纹，当生成主机密钥（ -init 脚本）：

As @joelparkerhenderson's answer covers, you can collect host key fingerprint from server's initial start log, when host keys are generated (by the cloud-init script):

如果您不能领取钥匙的这种方式，您可以通过连接到您的目标实例从内部专用网络亚马逊一个可信的实例，从而使自己从人在这方面的中间人攻击的安全得到他们。

If you fail to collect the keys this way, you can get them by connecting to your target instance from another trusted instance within private Amazon network, thus keeping yourself safe from man-in-the-middle attacks.

在上的可信实例（你知道指纹的）终端，你可以用下面的命令来采集指纹（ 172.33.31.199 是私有IP）：

When on the trusted instance (the one you know fingerprints for) terminal, you can use following commands to collect fingerprints (172.33.31.199 is the private IP):

$ ssh-keyscan 172.33.31.199 > ec2key
$ ssh-keygen -l -f ec2key
2048 02:fc:a5:ff:97:dd:41:63:bb:88:8b:29:4e:75:23:ed 172.33.31.199 (RSA)
256 ea:bc:4d:5f:ae:00:48:75:45:ba:97:43:fe:e1:a3:e9 172.33.31.199 (ECDSA)

如果您还没有另一个实例，它的指纹，你知道，创建新的临时实例，只是为了收集钥匙的目的。首先找到了新的临时实例键，使用它的初始启动日志。连接到临时实例从公共网络。然后通过连接到它从临时例如，通过专用亚马逊网络收集目标实例的密钥。之后，你可以删除临时实例。

If you do not have another instance, whose fingerprints you know, create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Connect to the temporary instance from public network. Then collect keys of the target instance by connecting to it from the temporary instance, over private Amazon network. After that you can discard the temporary instance.

我有$连接到EC2实例安全的WinSCP p $ ppared指南：
<一href="http://winscp.net/eng/docs/guide_amazon_ec2">http://winscp.net/eng/docs/guide_amazon_ec2

I have prepared guide for connecting to EC2 instance safely using WinSCP:
http://winscp.net/eng/docs/guide_amazon_ec2

这篇关于SSH指纹验证亚马逊AWS EC2服务器ECDSA？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！