Menu
Index

Contact
Atom Feed
Comments Atom Feed

Similar Articles

2016-07-17 15:23
AWS ssh known_host sync
2012-10-23 21:18
Ubuntu, encrypted home directories and ssh key authentication
2015-10-25 08:02
Ubuntu/Debian/Linux Mint and AWS CLI Autocomplete

Recent Articles

2019-07-28 16:35
git http with Nginx via Flask wsgi application (git4nginx)
2018-05-15 16:48
Raspberry Pi Camera, IR Lights and more
2017-04-23 14:21
Raspberry Pi SD Card Test
2017-04-07 10:54
DNS Firewall (blackhole malicious, like Pi-hole) with bind9
2017-03-28 13:07
Kubernetes to learn Part 4

Glen Pitt-Pladdy :: Blog

EC2 ssh key automatic validation

When a new EC2 instance (Amazon AWS compute) Linux instance is started, pretty much the first thing you need to do is connect via ssh to begin configuration (or bootstrap automation), but ssh gives the usual warning:

$ ssh ec2-user@.....eu-west-1.compute.amazonaws.com
The authenticity of host '.....eu-west-1.compute.amazonaws.com (aaa.bbb.ccc.ddd)' can't be established.
ECDSA key fingerprint is 75:d0:02:fd:e4:31:50:ec:27:98:88:3a:a6:12:10:79.
Are you sure you want to continue connecting (yes/no)?

So, is this really the fingerprint? Is there a MiM (Man in the Middle)?

I see an awful lot of people blindly accepting whatever host key they get, or where automation (DevOps) is being used, setting StrictHostKeyChecking to no. This simply means automatically blindly accepting whatever host key you get.

From a security point of view this is shocking behaviour and inviting trouble, especially when it's so easy to do this right.

Getting the Keys

Straight from the EC2 Documentation, on boot an EC2 instance console output gets captured and is available via API, or in our case we'll just use the AWS CLI from shell:

$ aws --output text ec2 get-console-output --instance-id <instance id>

That provides console output in raw text. From that you can get the ssh key Fingerprints and manually check them.

For practical purposes (and automation) wouldn't it be a whole lot easier to add to the ~/.ssh/known_hosts file automatically? Fortunately the host keys easily extracted:

$ aws --output text ec2 get-console-output --instance-id <instance id> \
        | sed -n '/^-----BEGIN SSH HOST KEY KEYS-----/,/^-----END SSH HOST KEY KEYS-----/p'

Putting it all together

So if we wanted to completely automate adding keys we could have a script something like:

#!/bin/sh

if [ $# -ne 1 ]; then
        echo "Usage: $0 <instance id>" >&2
        exit 1
fi

# uncomment for IP
#addr=`aws --output text ec2 describe-instances --instance-id $1 | grep ^INSTANCES | awk '{print $15}'`
# uncomment for DNS Address
addr=`aws --output text ec2 describe-instances --instance-id $1 | grep ^INSTANCES | awk '{print $14}'`
aws --output text ec2 get-console-output --instance-id $1 \
        | sed -n '/^-----BEGIN SSH HOST KEY KEYS-----/,/^-----END SSH HOST KEY KEYS-----/p' \
        | tail -n +2 | head -n -1 | sed "s/^/$addr /"
 

This also grabs the public DNS Address (or IP if you comment lines the other way) and generated lines that you can append (>>) to your ~/.ssh/known_hosts file before trying to connect the first time, or script this into your automation.

You could also append an instance ID to the lines or similar for easy management (cleaning up after you delete the instances later).

Being secure isn't hard after all!

Comments:




Note: Identity details will be stored in a cookie. Posts may not appear immediately
Disclaimer: This is a load of random thoughts, ideas and other nonsense and is not intended to be taken seriously. I have no idea what I am doing with most of this so if you are stupid and naive enough to believe any of it, it is your own fault and you can live with the consequences. More importantly this blog may contain substances such as humor which have not yet been approved for human (or machine) consumption and could seriously damage your health if taken seriously. If you still feel the need to litigate (or whatever other legal nonsense people have dreamed up now), then please address all complaints and other stupidity to yourself as you clearly "don't get it".