WARNING -> Please be careful when reading this problem description. I had some assumptions that were not correct as I was writing this question. Make sure you read my answer explaining what I had wrong!
I have host A in AWS as an EC2 instance.
I a private key embedded in a .PEM file that I can use to host A with SSH key Z. This works if I pass it to the ssh command using the
-l argument, AND if I turn off strict host checking with
I would strongly prefer to leave strict host checking on even though I "know" this is the correct host because I'm interacting with the AWS interface, getting the ip/dns from them, and I'm inside of my own little VPC world.
It seems like the only way to provide the fingerprint -> host mapping is by providing it in a
Is that correct?
If that is correct, how can I take the private key embedded in the .PEM file that I have from AWS and build the correct entry for the single fingerprint -> host mapping for a temporary
known_hosts file that I can read when I'm logging into the EC2 instance?
WHAT I DO NOT WANT TO DO
ssh-keyscan. All this does is blindly accept the fingerprint of the remote client without validating that it matches with the key. I think?
- Turn off
StrictHostKeyChecking. I want to establish good practices early, and I need to know how to do this now, because I'm going to need to know how to do this in general. (By
this I mean how to use SSH fingerprints to validate the identity of the host I'm connecting to, based on the key that I have.)
- Mess around with
ssh-add. I want to write this to a file that's easy to lockdown access to, not put it into a running process.
Strangely when I try to extract the fingerprint from the pem file it doesn't match the fingerprint I see when I connect and it prompts me.
FINGERPRINT EXTRACTION FROM PEM
bash-4.2$ ssh-keygen -l -E md5 -f ./blah.PEM
2048 MD5:be:b1:d7:e1:f0:0f:ce:41:60:fa:97:dc:b8:2c:ed:08 no comment (RSA)
bash-4.2$ ssh-keygen -l -E sha1 -f ./blah.PEM
2048 SHA1:g2PDmIcw19Z/v7HTco6xRWxQ88c no comment (RSA)
FINGERPRINT DISPLAY DURING SSH PROMPT
bash-4.2$ ssh -i ./blah.PEM firstname.lastname@example.org
The authenticity of host 'ip-172-31-6-91.us-east-2.compute.internal (172.31.6.91)' can't be established.
ECDSA key fingerprint is SHA256:ibwhkrF5oMapJla4cKuXgePT5lHmg08L7yMp6auCpgo.
ECDSA key fingerprint is MD5:ba:82:53:ee:89:22:26:63:26:11:21:93:63:1f:1d:d1.
How could the fingerprints be different, but the key still allows me to connect?