How can I add a .pem private key fingerprint entry to known_hosts before connecting with ssh?Error connecting to server through sshHow to remove strict RSA key checking in SSH and what's the problem here?Fingerprint of PEM ssh keySSH: Unable to login with key after disabling password authenticationWindows Password won't decrypt on AWS EC2 even with the correct private keyWarning: Remote host identification has changed (SSH)Can I find local ssh private key from remote fingerprint?Securely add host (e.g. github) to SSH known_hosts file?EC2 SSH sudden keypair issueHow to add key to global ssh_known_hosts without ssh-keyscan?

Source of the Wildfire?

Why are solar panels kept tilted?

Will a coyote attack my dog on a leash while I'm on a hiking trail?

Why does SSL Labs now consider CBC suites weak?

How to redirect stdout to a file, and stdout+stderr to another one?

How might a landlocked lake become a complete ecosystem?

Is there an academic word that means "to split hairs over"?

How to describe a building set which is like LEGO without using the "LEGO" word?

Why does lemon juice reduce the "fish" odor of sea food — specifically fish?

Did galley captains put corks in the mouths of slave rowers to keep them quiet?

Is this possible when it comes to the relations of P, NP, NP-Hard and NP-Complete?

Is Valonqar prophecy unfulfilled?

Mark command as obsolete

Wireless headphones interfere with Wi-Fi signal on laptop

How do I adjust encounters to challenge my lycanthrope players without negating their cool new abilities?

Why is it harder to turn a motor/generator with shorted terminals?

Would life always name the light from their sun "white"

Can only the master initiate communication in SPI whereas in I2C the slave can also initiate the communication?

How to not get blinded by an attack at dawn

Why does the headset man not get on the tractor?

Why weren't the bells paid heed to in S8E5?

Why are BJTs common in output stages of power amplifiers?

Is there any way to adjust the damage type of the Eldritch Blast cantrip so that it does fire damage?

the grammar about `adv adv` as 'too quickly'



How can I add a .pem private key fingerprint entry to known_hosts before connecting with ssh?


Error connecting to server through sshHow to remove strict RSA key checking in SSH and what's the problem here?Fingerprint of PEM ssh keySSH: Unable to login with key after disabling password authenticationWindows Password won't decrypt on AWS EC2 even with the correct private keyWarning: Remote host identification has changed (SSH)Can I find local ssh private key from remote fingerprint?Securely add host (e.g. github) to SSH known_hosts file?EC2 SSH sudden keypair issueHow to add key to global ssh_known_hosts without ssh-keyscan?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








2















WARNING -> Please be careful when reading this problem description. I had some assumptions that were not correct as I was writing this question. Make sure you read my answer explaining what I had wrong!



I have host A in AWS as an EC2 instance.



I a private key embedded in a .PEM file that I can use to host A with SSH key Z. This works if I pass it to the ssh command using the -l argument, AND if I turn off strict host checking with -o StrictHostKeyChecking=no.



I would strongly prefer to leave strict host checking on even though I "know" this is the correct host because I'm interacting with the AWS interface, getting the ip/dns from them, and I'm inside of my own little VPC world.



It seems like the only way to provide the fingerprint -> host mapping is by providing it in a known_hosts file.



Is that correct?



If that is correct, how can I take the private key embedded in the .PEM file that I have from AWS and build the correct entry for the single fingerprint -> host mapping for a temporary known_hosts file that I can read when I'm logging into the EC2 instance?



WHAT I DO NOT WANT TO DO



  • Use ssh-keyscan. All this does is blindly accept the fingerprint of the remote client without validating that it matches with the key. I think?

  • Turn off StrictHostKeyChecking. I want to establish good practices early, and I need to know how to do this now, because I'm going to need to know how to do this in general. (By this I mean how to use SSH fingerprints to validate the identity of the host I'm connecting to, based on the key that I have.)

  • Mess around with ssh-add. I want to write this to a file that's easy to lockdown access to, not put it into a running process.

EDITS:
Strangely when I try to extract the fingerprint from the pem file it doesn't match the fingerprint I see when I connect and it prompts me.



FINGERPRINT EXTRACTION FROM PEM



bash-4.2$ ssh-keygen -l -E md5 -f ./blah.PEM
2048 MD5:be:b1:d7:e1:f0:0f:ce:41:60:fa:97:dc:b8:2c:ed:08 no comment (RSA)
bash-4.2$ ssh-keygen -l -E sha1 -f ./blah.PEM
2048 SHA1:g2PDmIcw19Z/v7HTco6xRWxQ88c no comment (RSA)


FINGERPRINT DISPLAY DURING SSH PROMPT



bash-4.2$ ssh -i ./blah.PEM ubuntu@ip-172-31-6-91.us-east-2.compute.internal
The authenticity of host 'ip-172-31-6-91.us-east-2.compute.internal (172.31.6.91)' can't be established.
ECDSA key fingerprint is SHA256:ibwhkrF5oMapJla4cKuXgePT5lHmg08L7yMp6auCpgo.
ECDSA key fingerprint is MD5:ba:82:53:ee:89:22:26:63:26:11:21:93:63:1f:1d:d1.


How could the fingerprints be different, but the key still allows me to connect?










share|improve this question









New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • For starters, known_hosts doesn't store fingerprints, it stores public keys, so I think you have some more incorrect assumptions to work through.

    – womble
    2 hours ago

















2















WARNING -> Please be careful when reading this problem description. I had some assumptions that were not correct as I was writing this question. Make sure you read my answer explaining what I had wrong!



I have host A in AWS as an EC2 instance.



I a private key embedded in a .PEM file that I can use to host A with SSH key Z. This works if I pass it to the ssh command using the -l argument, AND if I turn off strict host checking with -o StrictHostKeyChecking=no.



I would strongly prefer to leave strict host checking on even though I "know" this is the correct host because I'm interacting with the AWS interface, getting the ip/dns from them, and I'm inside of my own little VPC world.



It seems like the only way to provide the fingerprint -> host mapping is by providing it in a known_hosts file.



Is that correct?



If that is correct, how can I take the private key embedded in the .PEM file that I have from AWS and build the correct entry for the single fingerprint -> host mapping for a temporary known_hosts file that I can read when I'm logging into the EC2 instance?



WHAT I DO NOT WANT TO DO



  • Use ssh-keyscan. All this does is blindly accept the fingerprint of the remote client without validating that it matches with the key. I think?

  • Turn off StrictHostKeyChecking. I want to establish good practices early, and I need to know how to do this now, because I'm going to need to know how to do this in general. (By this I mean how to use SSH fingerprints to validate the identity of the host I'm connecting to, based on the key that I have.)

  • Mess around with ssh-add. I want to write this to a file that's easy to lockdown access to, not put it into a running process.

EDITS:
Strangely when I try to extract the fingerprint from the pem file it doesn't match the fingerprint I see when I connect and it prompts me.



FINGERPRINT EXTRACTION FROM PEM



bash-4.2$ ssh-keygen -l -E md5 -f ./blah.PEM
2048 MD5:be:b1:d7:e1:f0:0f:ce:41:60:fa:97:dc:b8:2c:ed:08 no comment (RSA)
bash-4.2$ ssh-keygen -l -E sha1 -f ./blah.PEM
2048 SHA1:g2PDmIcw19Z/v7HTco6xRWxQ88c no comment (RSA)


FINGERPRINT DISPLAY DURING SSH PROMPT



bash-4.2$ ssh -i ./blah.PEM ubuntu@ip-172-31-6-91.us-east-2.compute.internal
The authenticity of host 'ip-172-31-6-91.us-east-2.compute.internal (172.31.6.91)' can't be established.
ECDSA key fingerprint is SHA256:ibwhkrF5oMapJla4cKuXgePT5lHmg08L7yMp6auCpgo.
ECDSA key fingerprint is MD5:ba:82:53:ee:89:22:26:63:26:11:21:93:63:1f:1d:d1.


How could the fingerprints be different, but the key still allows me to connect?










share|improve this question









New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • For starters, known_hosts doesn't store fingerprints, it stores public keys, so I think you have some more incorrect assumptions to work through.

    – womble
    2 hours ago













2












2








2








WARNING -> Please be careful when reading this problem description. I had some assumptions that were not correct as I was writing this question. Make sure you read my answer explaining what I had wrong!



I have host A in AWS as an EC2 instance.



I a private key embedded in a .PEM file that I can use to host A with SSH key Z. This works if I pass it to the ssh command using the -l argument, AND if I turn off strict host checking with -o StrictHostKeyChecking=no.



I would strongly prefer to leave strict host checking on even though I "know" this is the correct host because I'm interacting with the AWS interface, getting the ip/dns from them, and I'm inside of my own little VPC world.



It seems like the only way to provide the fingerprint -> host mapping is by providing it in a known_hosts file.



Is that correct?



If that is correct, how can I take the private key embedded in the .PEM file that I have from AWS and build the correct entry for the single fingerprint -> host mapping for a temporary known_hosts file that I can read when I'm logging into the EC2 instance?



WHAT I DO NOT WANT TO DO



  • Use ssh-keyscan. All this does is blindly accept the fingerprint of the remote client without validating that it matches with the key. I think?

  • Turn off StrictHostKeyChecking. I want to establish good practices early, and I need to know how to do this now, because I'm going to need to know how to do this in general. (By this I mean how to use SSH fingerprints to validate the identity of the host I'm connecting to, based on the key that I have.)

  • Mess around with ssh-add. I want to write this to a file that's easy to lockdown access to, not put it into a running process.

EDITS:
Strangely when I try to extract the fingerprint from the pem file it doesn't match the fingerprint I see when I connect and it prompts me.



FINGERPRINT EXTRACTION FROM PEM



bash-4.2$ ssh-keygen -l -E md5 -f ./blah.PEM
2048 MD5:be:b1:d7:e1:f0:0f:ce:41:60:fa:97:dc:b8:2c:ed:08 no comment (RSA)
bash-4.2$ ssh-keygen -l -E sha1 -f ./blah.PEM
2048 SHA1:g2PDmIcw19Z/v7HTco6xRWxQ88c no comment (RSA)


FINGERPRINT DISPLAY DURING SSH PROMPT



bash-4.2$ ssh -i ./blah.PEM ubuntu@ip-172-31-6-91.us-east-2.compute.internal
The authenticity of host 'ip-172-31-6-91.us-east-2.compute.internal (172.31.6.91)' can't be established.
ECDSA key fingerprint is SHA256:ibwhkrF5oMapJla4cKuXgePT5lHmg08L7yMp6auCpgo.
ECDSA key fingerprint is MD5:ba:82:53:ee:89:22:26:63:26:11:21:93:63:1f:1d:d1.


How could the fingerprints be different, but the key still allows me to connect?










share|improve this question









New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











WARNING -> Please be careful when reading this problem description. I had some assumptions that were not correct as I was writing this question. Make sure you read my answer explaining what I had wrong!



I have host A in AWS as an EC2 instance.



I a private key embedded in a .PEM file that I can use to host A with SSH key Z. This works if I pass it to the ssh command using the -l argument, AND if I turn off strict host checking with -o StrictHostKeyChecking=no.



I would strongly prefer to leave strict host checking on even though I "know" this is the correct host because I'm interacting with the AWS interface, getting the ip/dns from them, and I'm inside of my own little VPC world.



It seems like the only way to provide the fingerprint -> host mapping is by providing it in a known_hosts file.



Is that correct?



If that is correct, how can I take the private key embedded in the .PEM file that I have from AWS and build the correct entry for the single fingerprint -> host mapping for a temporary known_hosts file that I can read when I'm logging into the EC2 instance?



WHAT I DO NOT WANT TO DO



  • Use ssh-keyscan. All this does is blindly accept the fingerprint of the remote client without validating that it matches with the key. I think?

  • Turn off StrictHostKeyChecking. I want to establish good practices early, and I need to know how to do this now, because I'm going to need to know how to do this in general. (By this I mean how to use SSH fingerprints to validate the identity of the host I'm connecting to, based on the key that I have.)

  • Mess around with ssh-add. I want to write this to a file that's easy to lockdown access to, not put it into a running process.

EDITS:
Strangely when I try to extract the fingerprint from the pem file it doesn't match the fingerprint I see when I connect and it prompts me.



FINGERPRINT EXTRACTION FROM PEM



bash-4.2$ ssh-keygen -l -E md5 -f ./blah.PEM
2048 MD5:be:b1:d7:e1:f0:0f:ce:41:60:fa:97:dc:b8:2c:ed:08 no comment (RSA)
bash-4.2$ ssh-keygen -l -E sha1 -f ./blah.PEM
2048 SHA1:g2PDmIcw19Z/v7HTco6xRWxQ88c no comment (RSA)


FINGERPRINT DISPLAY DURING SSH PROMPT



bash-4.2$ ssh -i ./blah.PEM ubuntu@ip-172-31-6-91.us-east-2.compute.internal
The authenticity of host 'ip-172-31-6-91.us-east-2.compute.internal (172.31.6.91)' can't be established.
ECDSA key fingerprint is SHA256:ibwhkrF5oMapJla4cKuXgePT5lHmg08L7yMp6auCpgo.
ECDSA key fingerprint is MD5:ba:82:53:ee:89:22:26:63:26:11:21:93:63:1f:1d:d1.


How could the fingerprints be different, but the key still allows me to connect?







ssh ssh-keys






share|improve this question









New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










share|improve this question









New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question








edited 2 hours ago







Jazzepi













New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked 5 hours ago









JazzepiJazzepi

1135




1135




New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.














  • For starters, known_hosts doesn't store fingerprints, it stores public keys, so I think you have some more incorrect assumptions to work through.

    – womble
    2 hours ago

















  • For starters, known_hosts doesn't store fingerprints, it stores public keys, so I think you have some more incorrect assumptions to work through.

    – womble
    2 hours ago
















For starters, known_hosts doesn't store fingerprints, it stores public keys, so I think you have some more incorrect assumptions to work through.

– womble
2 hours ago





For starters, known_hosts doesn't store fingerprints, it stores public keys, so I think you have some more incorrect assumptions to work through.

– womble
2 hours ago










3 Answers
3






active

oldest

votes


















3














You have 2 key pairs at play there:



  1. Server's Private/Public key.

ssh daemon on the server has a set of private keys created and stored in the /etc/ssh/ folder



The RSA fingerprint you are getting from the server comes from the public key corresponding to the /etc/ssh/ssh_host_rsa_key private key



  1. User's Private/Public key.

This is a keypair you own. The private key should be securely stored on your computer and used to authenticate to the server. The public key's fingerprint is on the server, in your profile's authorized_keys file: ~/.ssh/authorized_keys




So there are 2 different public keys, and their fingerprints will not match, unless you use the same private key as one on the server, which is unlikely.



To get rid of warning do exactly as it has been asking: put fingerprint of the server into the /var/lib/jenkins/.ssh/known_hosts file.






share|improve this answer























  • The process I went through is this. * Use AWS to create a KEY_PAIR. Which gives me the private RSA key for that key pair. AFAIK that's what I'm downloading. I then wanted to store that key in my Jenkins as a method to login to the host with this KEY_PAIR so the jenkins can do some initialization on it through Ansible. Throughout this process I did NOT generate my own key pair, I just have the one I downloaded from AWS when I created the KEY_PAIR instance.

    – Jazzepi
    3 hours ago











  • Ohhh I think I understand. When I create a KEY_PAIR in AWS it's giving me the private key, and putting the public key into that host's authorized keys so that I can log in to it. But that means the host generates its own public/private key pair, and I need to scrape the logs to get a handle on that so I can validate the fingerprint.

    – Jazzepi
    3 hours ago












  • @Jazzepi, yes, the private key you downloaded is a part of User's key pair. The public key's fingerprint of this key-pair is on the server in your profile

    – Sergey Nudnov
    3 hours ago











  • @Jazzepi, usually there is /etc/ssh/ssh_host_rsa_key.pub. To get its fingerprint you could use ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

    – Sergey Nudnov
    3 hours ago











  • I'm good man thanks for the help!!!

    – Jazzepi
    3 hours ago


















2














If I understand you correctly, the private key file is in your possession and you'd like to get the fingerprint of it so that you can add it into your known_hosts file. If that's right, then here's what you do:



$ ssh-keygen -yf /path_to_private_key/key_file_name


That will output something like:



ssh-rsa AAAAB3NzaC....


Lastly, prefix that with the IP address to which you SSH, so that you have this:



10.200.25.5 ssh-rsa AAAAB3NzaC....


and you can add that as a line in your known_hosts file.






share|improve this answer























  • I put in DNS_ADDRESS ssh-rsa <LONG STRING> And get the below error complaining about the fingerprints not matching. I deleted some lines. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed, and the key for the corresponding IP address 172.31.6.91 is unknown. The fingerprint for the RSA key sent by the remote host is SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE. Add correct host key in /var/lib/jenkins/.ssh/known_hosts to get rid of this message. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed and you have requested strict checking.

    – Jazzepi
    4 hours ago












  • I'm not sure why they don't match, but it seems that the key you have is not the one the server is using. You can find the key which the server is using in /etc/ssh/. In that directory, you will find the private keys and the public fingerprints already generated.

    – user3629081
    4 hours ago











  • The private key PEM file I downloaded from AWS is a RSA key. -----BEGIN RSA PRIVATE KEY----- so I assume that it should match the encoded contents /etc/ssh/ssh_host_rsa_key but they don't. I think PEM files can contain comments though? Maybe the comments are throwing it off?

    – Jazzepi
    4 hours ago











  • Comments in the PEM file would prevent ssh-keygen from calculating the fingerprint at all. Personally, I would just use the fingerprint found on the server and move on with life.

    – user3629081
    3 hours ago











  • I am honestly just trying to understand why this isn't working. There is definitely a comment embedded in the private key pem file on the server that is not embedded in the one I downloaded from AWS. When I'm on the server I'm trying to connect to I get this root@ comment ubuntu@ip-172-31-6-91:/etc/ssh$ sudo ssh-keygen -lf ./ssh_host_rsa_key 2048 SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE root@ip-172-31-6-91 (RSA) On the client trying to connect I get this, "no comment" 2048 SHA256:TJrXSILH/tgLjqVtuxGBFJH+5HMBCLt0StxLPeS7laY no comment (RSA)

    – Jazzepi
    3 hours ago



















0














My underlying confusion was that I thought I had the exact same pair of private and public keys that the server did. Instead what's happening is when I create a key pair and assign it to a new EC2 instance, the EC2 instance is getting the public key of that pair put into its authorized_keys which allows me to connect to it with the private key that I download when creating the pair in AWS.



I can use the fingerprinting command that comes with AWS, but it's only good to validate that the private key that I have, matches the public key they have stored, and will put into the authorized_keys.



Every time a new EC2 instance comes up, it generates a collection of its own private/public keys for different algorithms like RSA and DSA. I must now scrape the logs to get the fingerprints for those keys so that I can validate that they match the host I'm connecting to.



So the steps are.



  1. Generate the EC2 instance, keep the key you get.

  2. Give that key from step 1 to Jenkins so that it can connect to the host.

  3. Use the get-console-output command to scrape the fingerprints for the keys from the logs.

  4. Attempt to connect to the remote instant with the key from step 1. Use the key fingerprint from that error message to validate against the fingerprint you scraped in step 3.

  5. Once you've validated, then you know it's safe to add the remote host.

  6. Profit!!!

Keep in mind the vital issue here is that you can't trust that the host you're connecting to isn't a man in the middle attack. If you blindly accept the key without validating it's fingerprint in step 4, you may not be connecting to the server you expect to be. By validating in step 4 you know that your connection is secure (because of SSH's cryptography), but crucially you also know WHO you are connected to, because only one person is going to have the key-pair fingerprint matching the one you expect.






share|improve this answer








New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • If this was the solution, you should accept your own answer.

    – user3629081
    2 hours ago











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






Jazzepi is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f967112%2fhow-can-i-add-a-pem-private-key-fingerprint-entry-to-known-hosts-before-connect%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









3














You have 2 key pairs at play there:



  1. Server's Private/Public key.

ssh daemon on the server has a set of private keys created and stored in the /etc/ssh/ folder



The RSA fingerprint you are getting from the server comes from the public key corresponding to the /etc/ssh/ssh_host_rsa_key private key



  1. User's Private/Public key.

This is a keypair you own. The private key should be securely stored on your computer and used to authenticate to the server. The public key's fingerprint is on the server, in your profile's authorized_keys file: ~/.ssh/authorized_keys




So there are 2 different public keys, and their fingerprints will not match, unless you use the same private key as one on the server, which is unlikely.



To get rid of warning do exactly as it has been asking: put fingerprint of the server into the /var/lib/jenkins/.ssh/known_hosts file.






share|improve this answer























  • The process I went through is this. * Use AWS to create a KEY_PAIR. Which gives me the private RSA key for that key pair. AFAIK that's what I'm downloading. I then wanted to store that key in my Jenkins as a method to login to the host with this KEY_PAIR so the jenkins can do some initialization on it through Ansible. Throughout this process I did NOT generate my own key pair, I just have the one I downloaded from AWS when I created the KEY_PAIR instance.

    – Jazzepi
    3 hours ago











  • Ohhh I think I understand. When I create a KEY_PAIR in AWS it's giving me the private key, and putting the public key into that host's authorized keys so that I can log in to it. But that means the host generates its own public/private key pair, and I need to scrape the logs to get a handle on that so I can validate the fingerprint.

    – Jazzepi
    3 hours ago












  • @Jazzepi, yes, the private key you downloaded is a part of User's key pair. The public key's fingerprint of this key-pair is on the server in your profile

    – Sergey Nudnov
    3 hours ago











  • @Jazzepi, usually there is /etc/ssh/ssh_host_rsa_key.pub. To get its fingerprint you could use ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

    – Sergey Nudnov
    3 hours ago











  • I'm good man thanks for the help!!!

    – Jazzepi
    3 hours ago















3














You have 2 key pairs at play there:



  1. Server's Private/Public key.

ssh daemon on the server has a set of private keys created and stored in the /etc/ssh/ folder



The RSA fingerprint you are getting from the server comes from the public key corresponding to the /etc/ssh/ssh_host_rsa_key private key



  1. User's Private/Public key.

This is a keypair you own. The private key should be securely stored on your computer and used to authenticate to the server. The public key's fingerprint is on the server, in your profile's authorized_keys file: ~/.ssh/authorized_keys




So there are 2 different public keys, and their fingerprints will not match, unless you use the same private key as one on the server, which is unlikely.



To get rid of warning do exactly as it has been asking: put fingerprint of the server into the /var/lib/jenkins/.ssh/known_hosts file.






share|improve this answer























  • The process I went through is this. * Use AWS to create a KEY_PAIR. Which gives me the private RSA key for that key pair. AFAIK that's what I'm downloading. I then wanted to store that key in my Jenkins as a method to login to the host with this KEY_PAIR so the jenkins can do some initialization on it through Ansible. Throughout this process I did NOT generate my own key pair, I just have the one I downloaded from AWS when I created the KEY_PAIR instance.

    – Jazzepi
    3 hours ago











  • Ohhh I think I understand. When I create a KEY_PAIR in AWS it's giving me the private key, and putting the public key into that host's authorized keys so that I can log in to it. But that means the host generates its own public/private key pair, and I need to scrape the logs to get a handle on that so I can validate the fingerprint.

    – Jazzepi
    3 hours ago












  • @Jazzepi, yes, the private key you downloaded is a part of User's key pair. The public key's fingerprint of this key-pair is on the server in your profile

    – Sergey Nudnov
    3 hours ago











  • @Jazzepi, usually there is /etc/ssh/ssh_host_rsa_key.pub. To get its fingerprint you could use ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

    – Sergey Nudnov
    3 hours ago











  • I'm good man thanks for the help!!!

    – Jazzepi
    3 hours ago













3












3








3







You have 2 key pairs at play there:



  1. Server's Private/Public key.

ssh daemon on the server has a set of private keys created and stored in the /etc/ssh/ folder



The RSA fingerprint you are getting from the server comes from the public key corresponding to the /etc/ssh/ssh_host_rsa_key private key



  1. User's Private/Public key.

This is a keypair you own. The private key should be securely stored on your computer and used to authenticate to the server. The public key's fingerprint is on the server, in your profile's authorized_keys file: ~/.ssh/authorized_keys




So there are 2 different public keys, and their fingerprints will not match, unless you use the same private key as one on the server, which is unlikely.



To get rid of warning do exactly as it has been asking: put fingerprint of the server into the /var/lib/jenkins/.ssh/known_hosts file.






share|improve this answer













You have 2 key pairs at play there:



  1. Server's Private/Public key.

ssh daemon on the server has a set of private keys created and stored in the /etc/ssh/ folder



The RSA fingerprint you are getting from the server comes from the public key corresponding to the /etc/ssh/ssh_host_rsa_key private key



  1. User's Private/Public key.

This is a keypair you own. The private key should be securely stored on your computer and used to authenticate to the server. The public key's fingerprint is on the server, in your profile's authorized_keys file: ~/.ssh/authorized_keys




So there are 2 different public keys, and their fingerprints will not match, unless you use the same private key as one on the server, which is unlikely.



To get rid of warning do exactly as it has been asking: put fingerprint of the server into the /var/lib/jenkins/.ssh/known_hosts file.







share|improve this answer












share|improve this answer



share|improve this answer










answered 3 hours ago









Sergey NudnovSergey Nudnov

39636




39636












  • The process I went through is this. * Use AWS to create a KEY_PAIR. Which gives me the private RSA key for that key pair. AFAIK that's what I'm downloading. I then wanted to store that key in my Jenkins as a method to login to the host with this KEY_PAIR so the jenkins can do some initialization on it through Ansible. Throughout this process I did NOT generate my own key pair, I just have the one I downloaded from AWS when I created the KEY_PAIR instance.

    – Jazzepi
    3 hours ago











  • Ohhh I think I understand. When I create a KEY_PAIR in AWS it's giving me the private key, and putting the public key into that host's authorized keys so that I can log in to it. But that means the host generates its own public/private key pair, and I need to scrape the logs to get a handle on that so I can validate the fingerprint.

    – Jazzepi
    3 hours ago












  • @Jazzepi, yes, the private key you downloaded is a part of User's key pair. The public key's fingerprint of this key-pair is on the server in your profile

    – Sergey Nudnov
    3 hours ago











  • @Jazzepi, usually there is /etc/ssh/ssh_host_rsa_key.pub. To get its fingerprint you could use ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

    – Sergey Nudnov
    3 hours ago











  • I'm good man thanks for the help!!!

    – Jazzepi
    3 hours ago

















  • The process I went through is this. * Use AWS to create a KEY_PAIR. Which gives me the private RSA key for that key pair. AFAIK that's what I'm downloading. I then wanted to store that key in my Jenkins as a method to login to the host with this KEY_PAIR so the jenkins can do some initialization on it through Ansible. Throughout this process I did NOT generate my own key pair, I just have the one I downloaded from AWS when I created the KEY_PAIR instance.

    – Jazzepi
    3 hours ago











  • Ohhh I think I understand. When I create a KEY_PAIR in AWS it's giving me the private key, and putting the public key into that host's authorized keys so that I can log in to it. But that means the host generates its own public/private key pair, and I need to scrape the logs to get a handle on that so I can validate the fingerprint.

    – Jazzepi
    3 hours ago












  • @Jazzepi, yes, the private key you downloaded is a part of User's key pair. The public key's fingerprint of this key-pair is on the server in your profile

    – Sergey Nudnov
    3 hours ago











  • @Jazzepi, usually there is /etc/ssh/ssh_host_rsa_key.pub. To get its fingerprint you could use ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

    – Sergey Nudnov
    3 hours ago











  • I'm good man thanks for the help!!!

    – Jazzepi
    3 hours ago
















The process I went through is this. * Use AWS to create a KEY_PAIR. Which gives me the private RSA key for that key pair. AFAIK that's what I'm downloading. I then wanted to store that key in my Jenkins as a method to login to the host with this KEY_PAIR so the jenkins can do some initialization on it through Ansible. Throughout this process I did NOT generate my own key pair, I just have the one I downloaded from AWS when I created the KEY_PAIR instance.

– Jazzepi
3 hours ago





The process I went through is this. * Use AWS to create a KEY_PAIR. Which gives me the private RSA key for that key pair. AFAIK that's what I'm downloading. I then wanted to store that key in my Jenkins as a method to login to the host with this KEY_PAIR so the jenkins can do some initialization on it through Ansible. Throughout this process I did NOT generate my own key pair, I just have the one I downloaded from AWS when I created the KEY_PAIR instance.

– Jazzepi
3 hours ago













Ohhh I think I understand. When I create a KEY_PAIR in AWS it's giving me the private key, and putting the public key into that host's authorized keys so that I can log in to it. But that means the host generates its own public/private key pair, and I need to scrape the logs to get a handle on that so I can validate the fingerprint.

– Jazzepi
3 hours ago






Ohhh I think I understand. When I create a KEY_PAIR in AWS it's giving me the private key, and putting the public key into that host's authorized keys so that I can log in to it. But that means the host generates its own public/private key pair, and I need to scrape the logs to get a handle on that so I can validate the fingerprint.

– Jazzepi
3 hours ago














@Jazzepi, yes, the private key you downloaded is a part of User's key pair. The public key's fingerprint of this key-pair is on the server in your profile

– Sergey Nudnov
3 hours ago





@Jazzepi, yes, the private key you downloaded is a part of User's key pair. The public key's fingerprint of this key-pair is on the server in your profile

– Sergey Nudnov
3 hours ago













@Jazzepi, usually there is /etc/ssh/ssh_host_rsa_key.pub. To get its fingerprint you could use ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

– Sergey Nudnov
3 hours ago





@Jazzepi, usually there is /etc/ssh/ssh_host_rsa_key.pub. To get its fingerprint you could use ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

– Sergey Nudnov
3 hours ago













I'm good man thanks for the help!!!

– Jazzepi
3 hours ago





I'm good man thanks for the help!!!

– Jazzepi
3 hours ago













2














If I understand you correctly, the private key file is in your possession and you'd like to get the fingerprint of it so that you can add it into your known_hosts file. If that's right, then here's what you do:



$ ssh-keygen -yf /path_to_private_key/key_file_name


That will output something like:



ssh-rsa AAAAB3NzaC....


Lastly, prefix that with the IP address to which you SSH, so that you have this:



10.200.25.5 ssh-rsa AAAAB3NzaC....


and you can add that as a line in your known_hosts file.






share|improve this answer























  • I put in DNS_ADDRESS ssh-rsa <LONG STRING> And get the below error complaining about the fingerprints not matching. I deleted some lines. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed, and the key for the corresponding IP address 172.31.6.91 is unknown. The fingerprint for the RSA key sent by the remote host is SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE. Add correct host key in /var/lib/jenkins/.ssh/known_hosts to get rid of this message. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed and you have requested strict checking.

    – Jazzepi
    4 hours ago












  • I'm not sure why they don't match, but it seems that the key you have is not the one the server is using. You can find the key which the server is using in /etc/ssh/. In that directory, you will find the private keys and the public fingerprints already generated.

    – user3629081
    4 hours ago











  • The private key PEM file I downloaded from AWS is a RSA key. -----BEGIN RSA PRIVATE KEY----- so I assume that it should match the encoded contents /etc/ssh/ssh_host_rsa_key but they don't. I think PEM files can contain comments though? Maybe the comments are throwing it off?

    – Jazzepi
    4 hours ago











  • Comments in the PEM file would prevent ssh-keygen from calculating the fingerprint at all. Personally, I would just use the fingerprint found on the server and move on with life.

    – user3629081
    3 hours ago











  • I am honestly just trying to understand why this isn't working. There is definitely a comment embedded in the private key pem file on the server that is not embedded in the one I downloaded from AWS. When I'm on the server I'm trying to connect to I get this root@ comment ubuntu@ip-172-31-6-91:/etc/ssh$ sudo ssh-keygen -lf ./ssh_host_rsa_key 2048 SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE root@ip-172-31-6-91 (RSA) On the client trying to connect I get this, "no comment" 2048 SHA256:TJrXSILH/tgLjqVtuxGBFJH+5HMBCLt0StxLPeS7laY no comment (RSA)

    – Jazzepi
    3 hours ago
















2














If I understand you correctly, the private key file is in your possession and you'd like to get the fingerprint of it so that you can add it into your known_hosts file. If that's right, then here's what you do:



$ ssh-keygen -yf /path_to_private_key/key_file_name


That will output something like:



ssh-rsa AAAAB3NzaC....


Lastly, prefix that with the IP address to which you SSH, so that you have this:



10.200.25.5 ssh-rsa AAAAB3NzaC....


and you can add that as a line in your known_hosts file.






share|improve this answer























  • I put in DNS_ADDRESS ssh-rsa <LONG STRING> And get the below error complaining about the fingerprints not matching. I deleted some lines. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed, and the key for the corresponding IP address 172.31.6.91 is unknown. The fingerprint for the RSA key sent by the remote host is SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE. Add correct host key in /var/lib/jenkins/.ssh/known_hosts to get rid of this message. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed and you have requested strict checking.

    – Jazzepi
    4 hours ago












  • I'm not sure why they don't match, but it seems that the key you have is not the one the server is using. You can find the key which the server is using in /etc/ssh/. In that directory, you will find the private keys and the public fingerprints already generated.

    – user3629081
    4 hours ago











  • The private key PEM file I downloaded from AWS is a RSA key. -----BEGIN RSA PRIVATE KEY----- so I assume that it should match the encoded contents /etc/ssh/ssh_host_rsa_key but they don't. I think PEM files can contain comments though? Maybe the comments are throwing it off?

    – Jazzepi
    4 hours ago











  • Comments in the PEM file would prevent ssh-keygen from calculating the fingerprint at all. Personally, I would just use the fingerprint found on the server and move on with life.

    – user3629081
    3 hours ago











  • I am honestly just trying to understand why this isn't working. There is definitely a comment embedded in the private key pem file on the server that is not embedded in the one I downloaded from AWS. When I'm on the server I'm trying to connect to I get this root@ comment ubuntu@ip-172-31-6-91:/etc/ssh$ sudo ssh-keygen -lf ./ssh_host_rsa_key 2048 SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE root@ip-172-31-6-91 (RSA) On the client trying to connect I get this, "no comment" 2048 SHA256:TJrXSILH/tgLjqVtuxGBFJH+5HMBCLt0StxLPeS7laY no comment (RSA)

    – Jazzepi
    3 hours ago














2












2








2







If I understand you correctly, the private key file is in your possession and you'd like to get the fingerprint of it so that you can add it into your known_hosts file. If that's right, then here's what you do:



$ ssh-keygen -yf /path_to_private_key/key_file_name


That will output something like:



ssh-rsa AAAAB3NzaC....


Lastly, prefix that with the IP address to which you SSH, so that you have this:



10.200.25.5 ssh-rsa AAAAB3NzaC....


and you can add that as a line in your known_hosts file.






share|improve this answer













If I understand you correctly, the private key file is in your possession and you'd like to get the fingerprint of it so that you can add it into your known_hosts file. If that's right, then here's what you do:



$ ssh-keygen -yf /path_to_private_key/key_file_name


That will output something like:



ssh-rsa AAAAB3NzaC....


Lastly, prefix that with the IP address to which you SSH, so that you have this:



10.200.25.5 ssh-rsa AAAAB3NzaC....


and you can add that as a line in your known_hosts file.







share|improve this answer












share|improve this answer



share|improve this answer










answered 4 hours ago









user3629081user3629081

20213




20213












  • I put in DNS_ADDRESS ssh-rsa <LONG STRING> And get the below error complaining about the fingerprints not matching. I deleted some lines. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed, and the key for the corresponding IP address 172.31.6.91 is unknown. The fingerprint for the RSA key sent by the remote host is SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE. Add correct host key in /var/lib/jenkins/.ssh/known_hosts to get rid of this message. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed and you have requested strict checking.

    – Jazzepi
    4 hours ago












  • I'm not sure why they don't match, but it seems that the key you have is not the one the server is using. You can find the key which the server is using in /etc/ssh/. In that directory, you will find the private keys and the public fingerprints already generated.

    – user3629081
    4 hours ago











  • The private key PEM file I downloaded from AWS is a RSA key. -----BEGIN RSA PRIVATE KEY----- so I assume that it should match the encoded contents /etc/ssh/ssh_host_rsa_key but they don't. I think PEM files can contain comments though? Maybe the comments are throwing it off?

    – Jazzepi
    4 hours ago











  • Comments in the PEM file would prevent ssh-keygen from calculating the fingerprint at all. Personally, I would just use the fingerprint found on the server and move on with life.

    – user3629081
    3 hours ago











  • I am honestly just trying to understand why this isn't working. There is definitely a comment embedded in the private key pem file on the server that is not embedded in the one I downloaded from AWS. When I'm on the server I'm trying to connect to I get this root@ comment ubuntu@ip-172-31-6-91:/etc/ssh$ sudo ssh-keygen -lf ./ssh_host_rsa_key 2048 SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE root@ip-172-31-6-91 (RSA) On the client trying to connect I get this, "no comment" 2048 SHA256:TJrXSILH/tgLjqVtuxGBFJH+5HMBCLt0StxLPeS7laY no comment (RSA)

    – Jazzepi
    3 hours ago


















  • I put in DNS_ADDRESS ssh-rsa <LONG STRING> And get the below error complaining about the fingerprints not matching. I deleted some lines. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed, and the key for the corresponding IP address 172.31.6.91 is unknown. The fingerprint for the RSA key sent by the remote host is SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE. Add correct host key in /var/lib/jenkins/.ssh/known_hosts to get rid of this message. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed and you have requested strict checking.

    – Jazzepi
    4 hours ago












  • I'm not sure why they don't match, but it seems that the key you have is not the one the server is using. You can find the key which the server is using in /etc/ssh/. In that directory, you will find the private keys and the public fingerprints already generated.

    – user3629081
    4 hours ago











  • The private key PEM file I downloaded from AWS is a RSA key. -----BEGIN RSA PRIVATE KEY----- so I assume that it should match the encoded contents /etc/ssh/ssh_host_rsa_key but they don't. I think PEM files can contain comments though? Maybe the comments are throwing it off?

    – Jazzepi
    4 hours ago











  • Comments in the PEM file would prevent ssh-keygen from calculating the fingerprint at all. Personally, I would just use the fingerprint found on the server and move on with life.

    – user3629081
    3 hours ago











  • I am honestly just trying to understand why this isn't working. There is definitely a comment embedded in the private key pem file on the server that is not embedded in the one I downloaded from AWS. When I'm on the server I'm trying to connect to I get this root@ comment ubuntu@ip-172-31-6-91:/etc/ssh$ sudo ssh-keygen -lf ./ssh_host_rsa_key 2048 SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE root@ip-172-31-6-91 (RSA) On the client trying to connect I get this, "no comment" 2048 SHA256:TJrXSILH/tgLjqVtuxGBFJH+5HMBCLt0StxLPeS7laY no comment (RSA)

    – Jazzepi
    3 hours ago

















I put in DNS_ADDRESS ssh-rsa <LONG STRING> And get the below error complaining about the fingerprints not matching. I deleted some lines. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed, and the key for the corresponding IP address 172.31.6.91 is unknown. The fingerprint for the RSA key sent by the remote host is SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE. Add correct host key in /var/lib/jenkins/.ssh/known_hosts to get rid of this message. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed and you have requested strict checking.

– Jazzepi
4 hours ago






I put in DNS_ADDRESS ssh-rsa <LONG STRING> And get the below error complaining about the fingerprints not matching. I deleted some lines. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed, and the key for the corresponding IP address 172.31.6.91 is unknown. The fingerprint for the RSA key sent by the remote host is SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE. Add correct host key in /var/lib/jenkins/.ssh/known_hosts to get rid of this message. RSA host key for ip-172-31-6-91.us-east-2.compute.internal has changed and you have requested strict checking.

– Jazzepi
4 hours ago














I'm not sure why they don't match, but it seems that the key you have is not the one the server is using. You can find the key which the server is using in /etc/ssh/. In that directory, you will find the private keys and the public fingerprints already generated.

– user3629081
4 hours ago





I'm not sure why they don't match, but it seems that the key you have is not the one the server is using. You can find the key which the server is using in /etc/ssh/. In that directory, you will find the private keys and the public fingerprints already generated.

– user3629081
4 hours ago













The private key PEM file I downloaded from AWS is a RSA key. -----BEGIN RSA PRIVATE KEY----- so I assume that it should match the encoded contents /etc/ssh/ssh_host_rsa_key but they don't. I think PEM files can contain comments though? Maybe the comments are throwing it off?

– Jazzepi
4 hours ago





The private key PEM file I downloaded from AWS is a RSA key. -----BEGIN RSA PRIVATE KEY----- so I assume that it should match the encoded contents /etc/ssh/ssh_host_rsa_key but they don't. I think PEM files can contain comments though? Maybe the comments are throwing it off?

– Jazzepi
4 hours ago













Comments in the PEM file would prevent ssh-keygen from calculating the fingerprint at all. Personally, I would just use the fingerprint found on the server and move on with life.

– user3629081
3 hours ago





Comments in the PEM file would prevent ssh-keygen from calculating the fingerprint at all. Personally, I would just use the fingerprint found on the server and move on with life.

– user3629081
3 hours ago













I am honestly just trying to understand why this isn't working. There is definitely a comment embedded in the private key pem file on the server that is not embedded in the one I downloaded from AWS. When I'm on the server I'm trying to connect to I get this root@ comment ubuntu@ip-172-31-6-91:/etc/ssh$ sudo ssh-keygen -lf ./ssh_host_rsa_key 2048 SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE root@ip-172-31-6-91 (RSA) On the client trying to connect I get this, "no comment" 2048 SHA256:TJrXSILH/tgLjqVtuxGBFJH+5HMBCLt0StxLPeS7laY no comment (RSA)

– Jazzepi
3 hours ago






I am honestly just trying to understand why this isn't working. There is definitely a comment embedded in the private key pem file on the server that is not embedded in the one I downloaded from AWS. When I'm on the server I'm trying to connect to I get this root@ comment ubuntu@ip-172-31-6-91:/etc/ssh$ sudo ssh-keygen -lf ./ssh_host_rsa_key 2048 SHA256:9BOOk2Zjlin6CnIyaNFXlLpShcAyQis/wKU8oPCAauE root@ip-172-31-6-91 (RSA) On the client trying to connect I get this, "no comment" 2048 SHA256:TJrXSILH/tgLjqVtuxGBFJH+5HMBCLt0StxLPeS7laY no comment (RSA)

– Jazzepi
3 hours ago












0














My underlying confusion was that I thought I had the exact same pair of private and public keys that the server did. Instead what's happening is when I create a key pair and assign it to a new EC2 instance, the EC2 instance is getting the public key of that pair put into its authorized_keys which allows me to connect to it with the private key that I download when creating the pair in AWS.



I can use the fingerprinting command that comes with AWS, but it's only good to validate that the private key that I have, matches the public key they have stored, and will put into the authorized_keys.



Every time a new EC2 instance comes up, it generates a collection of its own private/public keys for different algorithms like RSA and DSA. I must now scrape the logs to get the fingerprints for those keys so that I can validate that they match the host I'm connecting to.



So the steps are.



  1. Generate the EC2 instance, keep the key you get.

  2. Give that key from step 1 to Jenkins so that it can connect to the host.

  3. Use the get-console-output command to scrape the fingerprints for the keys from the logs.

  4. Attempt to connect to the remote instant with the key from step 1. Use the key fingerprint from that error message to validate against the fingerprint you scraped in step 3.

  5. Once you've validated, then you know it's safe to add the remote host.

  6. Profit!!!

Keep in mind the vital issue here is that you can't trust that the host you're connecting to isn't a man in the middle attack. If you blindly accept the key without validating it's fingerprint in step 4, you may not be connecting to the server you expect to be. By validating in step 4 you know that your connection is secure (because of SSH's cryptography), but crucially you also know WHO you are connected to, because only one person is going to have the key-pair fingerprint matching the one you expect.






share|improve this answer








New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • If this was the solution, you should accept your own answer.

    – user3629081
    2 hours ago















0














My underlying confusion was that I thought I had the exact same pair of private and public keys that the server did. Instead what's happening is when I create a key pair and assign it to a new EC2 instance, the EC2 instance is getting the public key of that pair put into its authorized_keys which allows me to connect to it with the private key that I download when creating the pair in AWS.



I can use the fingerprinting command that comes with AWS, but it's only good to validate that the private key that I have, matches the public key they have stored, and will put into the authorized_keys.



Every time a new EC2 instance comes up, it generates a collection of its own private/public keys for different algorithms like RSA and DSA. I must now scrape the logs to get the fingerprints for those keys so that I can validate that they match the host I'm connecting to.



So the steps are.



  1. Generate the EC2 instance, keep the key you get.

  2. Give that key from step 1 to Jenkins so that it can connect to the host.

  3. Use the get-console-output command to scrape the fingerprints for the keys from the logs.

  4. Attempt to connect to the remote instant with the key from step 1. Use the key fingerprint from that error message to validate against the fingerprint you scraped in step 3.

  5. Once you've validated, then you know it's safe to add the remote host.

  6. Profit!!!

Keep in mind the vital issue here is that you can't trust that the host you're connecting to isn't a man in the middle attack. If you blindly accept the key without validating it's fingerprint in step 4, you may not be connecting to the server you expect to be. By validating in step 4 you know that your connection is secure (because of SSH's cryptography), but crucially you also know WHO you are connected to, because only one person is going to have the key-pair fingerprint matching the one you expect.






share|improve this answer








New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • If this was the solution, you should accept your own answer.

    – user3629081
    2 hours ago













0












0








0







My underlying confusion was that I thought I had the exact same pair of private and public keys that the server did. Instead what's happening is when I create a key pair and assign it to a new EC2 instance, the EC2 instance is getting the public key of that pair put into its authorized_keys which allows me to connect to it with the private key that I download when creating the pair in AWS.



I can use the fingerprinting command that comes with AWS, but it's only good to validate that the private key that I have, matches the public key they have stored, and will put into the authorized_keys.



Every time a new EC2 instance comes up, it generates a collection of its own private/public keys for different algorithms like RSA and DSA. I must now scrape the logs to get the fingerprints for those keys so that I can validate that they match the host I'm connecting to.



So the steps are.



  1. Generate the EC2 instance, keep the key you get.

  2. Give that key from step 1 to Jenkins so that it can connect to the host.

  3. Use the get-console-output command to scrape the fingerprints for the keys from the logs.

  4. Attempt to connect to the remote instant with the key from step 1. Use the key fingerprint from that error message to validate against the fingerprint you scraped in step 3.

  5. Once you've validated, then you know it's safe to add the remote host.

  6. Profit!!!

Keep in mind the vital issue here is that you can't trust that the host you're connecting to isn't a man in the middle attack. If you blindly accept the key without validating it's fingerprint in step 4, you may not be connecting to the server you expect to be. By validating in step 4 you know that your connection is secure (because of SSH's cryptography), but crucially you also know WHO you are connected to, because only one person is going to have the key-pair fingerprint matching the one you expect.






share|improve this answer








New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









My underlying confusion was that I thought I had the exact same pair of private and public keys that the server did. Instead what's happening is when I create a key pair and assign it to a new EC2 instance, the EC2 instance is getting the public key of that pair put into its authorized_keys which allows me to connect to it with the private key that I download when creating the pair in AWS.



I can use the fingerprinting command that comes with AWS, but it's only good to validate that the private key that I have, matches the public key they have stored, and will put into the authorized_keys.



Every time a new EC2 instance comes up, it generates a collection of its own private/public keys for different algorithms like RSA and DSA. I must now scrape the logs to get the fingerprints for those keys so that I can validate that they match the host I'm connecting to.



So the steps are.



  1. Generate the EC2 instance, keep the key you get.

  2. Give that key from step 1 to Jenkins so that it can connect to the host.

  3. Use the get-console-output command to scrape the fingerprints for the keys from the logs.

  4. Attempt to connect to the remote instant with the key from step 1. Use the key fingerprint from that error message to validate against the fingerprint you scraped in step 3.

  5. Once you've validated, then you know it's safe to add the remote host.

  6. Profit!!!

Keep in mind the vital issue here is that you can't trust that the host you're connecting to isn't a man in the middle attack. If you blindly accept the key without validating it's fingerprint in step 4, you may not be connecting to the server you expect to be. By validating in step 4 you know that your connection is secure (because of SSH's cryptography), but crucially you also know WHO you are connected to, because only one person is going to have the key-pair fingerprint matching the one you expect.







share|improve this answer








New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this answer



share|improve this answer






New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








answered 3 hours ago









JazzepiJazzepi

1135




1135




New contributor



Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




Jazzepi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.














  • If this was the solution, you should accept your own answer.

    – user3629081
    2 hours ago

















  • If this was the solution, you should accept your own answer.

    – user3629081
    2 hours ago
















If this was the solution, you should accept your own answer.

– user3629081
2 hours ago





If this was the solution, you should accept your own answer.

– user3629081
2 hours ago










Jazzepi is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















Jazzepi is a new contributor. Be nice, and check out our Code of Conduct.












Jazzepi is a new contributor. Be nice, and check out our Code of Conduct.











Jazzepi is a new contributor. Be nice, and check out our Code of Conduct.














Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f967112%2fhow-can-i-add-a-pem-private-key-fingerprint-entry-to-known-hosts-before-connect%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її