When I import my OpenSSH public key into AWS EC2's keyring the fingerprint that AWS shows doesn't match what I see from:
ssh-keygen -l -f my_key
It is a different length and has different bytes.
Why? I'm sure I uploaded the correct key.
When I import my OpenSSH public key into AWS EC2's keyring the fingerprint that AWS shows doesn't match what I see from:
ssh-keygen -l -f my_key
It is a different length and has different bytes.
Why? I'm sure I uploaded the correct key.
AWS EC2 shows the SSH2 fingerprint, not the OpenSSH fingerprint everyone expects. It doesn't say this in the UI.
It also shows two completely different kinds of fingerprints depending on whether the key was generated on AWS and downloaded, or whether you uploaded your own public key.
Fingerprints generated with
will not match what EC2 shows. You can either use the AWS API tools to generate a fingerprint with the
ec2-fingerprint-key
command, or use OpenSSL to do it.Note that if you originally generated a key on AWS, but then uploaded it again (say, to another region) then you'll get a different fingerprint because it'll take the SSH2 RSA fingerprint, rather than the sha1 it shows for keys you generated on AWS.
Fun, hey?
In the above,
test-generated
was generated using AWS EC2.test-generated-reuploaded
is the public key from the private key AWS generated, extracted withssh-keygen -y
and uploaded again. The third key,test-uploaded
, is a locally generated key ... but the localssh-keygen -l
fingerprint isb2:2c:86:d6:1e:58:c0:b0:15:97:ab:9b:93:e7:4e:ea
.Keys uploaded to AWS
When you upload a key to AWS, you upload the public key only, and AWS shows the MD5 hash of the public key.
You can use OpenSSL, as demonstrated by Daniel on the AWS forums, to generate the fingerprint in the form used by AWS to show fingerprints for uploaded public keys (SSH2 MD5), like:
If you have the private key, you can generate the fingerprint by extracting the public part from the private key and hashing it using:
If you only have the public key, and it is in OpenSSH format, you need to first convert it to PEM and then DER and then hash, using:
Keys generated on AWS
When you generate a keypair on AWS, AWS shows the SHA1 hash of the private key, which is longer, like:
In this case you need to use the following command, also shown by Daniel on the AWS forums, to generate a sha1 hash based on the private key:
on the downloaded AWS-generated private key/certificate file. It'll work on keys you converted to OpenSSH format too. This does, however, require that you have the private key, since the hash is of the private key. You cannot generate the hash locally if all you have is the public key.
References
See:
If you only have public keys, you can generate the AWS fingerprint as follows:
There's a resource on AWS docs http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#verify-key-pair-fingerprints
If you created your key pair using AWS, you can use the OpenSSL tools to generate a fingerprint from the private key file:
Copy
If you created your key pair using a third-party tool and uploaded the public key to AWS, you can use the OpenSSL tools to generate a fingerprint from the private key file on your local machine:
Copy
The output should match the fingerprint that's displayed in the console.
This is what I use:
This generates the fingerprint from the public key, similar to some of the above.
Just in case this could be useful: https://ssh-vault.com/post/fingerprint/
for example:
Will print the fingerprint for user bob matching the format AWS is using.
For those of us using Python
Here is a script that I use, add the script path to env. Thanks to J.Doe for the answer
Java (using BouncyCastle). If the AWS console displays shorter keys, try with MD5. (SHA1: 20 bytes, MD5: 16 bytes).