HorusKol
Bytes:

Check SSH fingerprints on AWS EC2

October 27, 2022

Warning: Remote host identification has changed!

When opening an SSH connection to one of my EC2 instances on AWS I got the unexpected warning that the host fingerprint was different.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is

Please contact your system administrator.
Add correct host key in /home/----/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/----/.ssh/known_hosts:32
  remove with:
  ssh-keygen -f "/home/----/.ssh/known_hosts" -R "----.----.com"
ECDSA host key for ----.----.com has changed and you have requested strict checking.
Host key verification failed.

Previously, I'd come across this a few times before when replacing servers and moving domain names, but this was unexpected - as far as I knew, the server hadn't changed (although, an update may have triggered it to generate a new fingerprint).

Almost all the material I can see on the web tells you how to replace the local record - but none of them tell you how to confirm that the "new" fingerprint is actually legitimate - which is the point of the warning: it even says outright in the message "this could be a man-in-the-middle" attack.

You can check to see if the fingerprint was issued from your EC2 instance by checking the system logs:

  • Open the EC2 instance in your AWS console
  • Click on the Actions menu
  • Click on the Monitor and troubleshoot submenu
  • Click on Get system log

It might take a bit of a search, but you should find the SSH host key fingerprints in the log:

<14>Oct 26 07:32:13 cloud-init: #############################################################
<14>Oct 26 07:32:13 cloud-init: -----BEGIN SSH HOST KEY FINGERPRINTS-----

<14>Oct 26 07:32:13 cloud-init: -----END SSH HOST KEY FINGERPRINTS-----
<14>Oct 26 07:32:13 cloud-init: #############################################################

If the fingerprint in the warning matches one of the fingerprints in the log, then all is well and you can safely update your known hosts file.