Check SSH fingerprints on AWS EC2
October 27, 2022
Warning: Remote host identification has changed!
When opening an SSH connection to one of my EC2 instances on AWS I got the unexpected warning that the host fingerprint was different.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/----/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/----/.ssh/known_hosts:32
remove with:
ssh-keygen -f "/home/----/.ssh/known_hosts" -R "----.----.com"
ECDSA host key for ----.----.com has changed and you have requested strict checking.
Host key verification failed.
Previously, I'd come across this a few times before when replacing servers and moving domain names, but this was unexpected - as far as I knew, the server hadn't changed (although, an update may have triggered it to generate a new fingerprint).
Almost all the material I can see on the web tells you how to replace the local record - but none of them tell you how to confirm that the "new" fingerprint is actually legitimate - which is the point of the warning: it even says outright in the message "this could be a man-in-the-middle" attack.
You can check to see if the fingerprint was issued from your EC2 instance by checking the system logs:
- Open the EC2 instance in your AWS console
- Click on the Actions menu
- Click on the Monitor and troubleshoot submenu
- Click on Get system log
It might take a bit of a search, but you should find the SSH host key fingerprints in the log:
<14>Oct 26 07:32:13 cloud-init: #############################################################
<14>Oct 26 07:32:13 cloud-init: -----BEGIN SSH HOST KEY FINGERPRINTS-----
<14>Oct 26 07:32:13 cloud-init: -----END SSH HOST KEY FINGERPRINTS-----
<14>Oct 26 07:32:13 cloud-init: #############################################################
If the fingerprint in the warning matches one of the fingerprints in the log, then all is well and you can safely update your known hosts file.