Copy link to clipboard
Copied
Hi,
It would be nice if you added something like
bash -c 'for f in $(ls /etc/ssh/*.pub); do ssh-keygen -lf $f; done'
to /etc/rc.local on your EC2 AMI - this would display the SSH key fingerprints in the console output (which can be securely obtained from the ec2 console or command line tools). Without a secure way to obtain these fingerprints it is not possible to detect a man-in-the-middle attack of the first SSH connection to the server.
My current workaround is to place the following scipt as the ec2 user data file:
#!/bin/bash
set -o nounset
set -o errexit
# Dump SSH fingerprints to console
for f in $(ls /etc/ssh/*.pub); do ssh-keygen -lf $f; done > /dev/console
However it would be nice if this functionality was built into the AMI as i'm not currently needing the user data mechanism for anything else.
Cheers,
Dave
Copy link to clipboard
Copied
Hi Dave,
Thanks for using our services on AWS. This is really valuable and will surely be considered in our subsequent releases.
Cheers,
Shiven