Differences
This shows you the differences between the selected revisions of the page.
| 2014-07-16 | 2014-07-16 | ||
| link to official guide (martin) | suggest creating a temporary instance for collecting key + cloud-init script note (martin) | ||
| Line 19: | Line 19: | ||
| * Host name: Check //Public DNS// column on //Instances// page of Amazon EC2 console. Note that the public DNS may change when instance is restarted. | * Host name: Check //Public DNS// column on //Instances// page of Amazon EC2 console. Note that the public DNS may change when instance is restarted. | ||
| * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]]. | * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]]. | ||
| - | * The only way we know how to get host key safely to verify it, is to locate its fingerprint in server's initial start log, when host keys are generated. Use //Actions > Get System Log// command on //Instances// page of Amazon EC2 console: \\ \\ &screenshotpict(ec2_hostkey) \\ \\ Alternatively use ''[[http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-GetConsoleOutput.html|ec2-get-console-output]]'' command-line tool. \\ Look for RSA (or DSA) key fingerprint. WinSCP does not support ECDSA keys. | + | * You can locate key fingerprint in server's initial start log, when host keys are generated.((Using ''cloud-init'' script.)) Use //Actions > Get System Log// command on //Instances// page of Amazon EC2 console: \\ \\ &screenshotpict(ec2_hostkey) \\ \\ Alternatively use ''[[http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-GetConsoleOutput.html|ec2-get-console-output]]'' command-line tool. \\ Look for RSA (or DSA) key fingerprint. WinSCP does not support ECDSA keys. |
| * If you did not save the fingerprint on the first instance run, but you have another EC2 instance that you can connect to safely (you know its fingerprints), you can connect to the target instance using private IP from the trusted instance. Staying within private Amazon network should keep you safe from [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. When on the trusted instance terminal, you can use following commands to collect fingerprints: \\ <code> | * If you did not save the fingerprint on the first instance run, but you have another EC2 instance that you can connect to safely (you know its fingerprints), you can connect to the target instance using private IP from the trusted instance. Staying within private Amazon network should keep you safe from [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. When on the trusted instance terminal, you can use following commands to collect fingerprints: \\ <code> | ||
| $ ssh-keyscan <target_instance_private_ip> > ec2key | $ ssh-keyscan <target_instance_private_ip> > ec2key | ||
| Line 25: | Line 25: | ||
| 2048 cc:3d:ac:a7:13:61:4c:14:25:47:80:ae:f1:f3:aa:10 172.31.30.101 (RSA) | 2048 cc:3d:ac:a7:13:61:4c:14:25:47:80:ae:f1:f3:aa:10 172.31.30.101 (RSA) | ||
| 256 ea:bc:4d:5f:ae:00:48:75:45:ba:97:43:fe:e1:a3:e9 172.31.30.101 (ECDSA) | 256 ea:bc:4d:5f:ae:00:48:75:45:ba:97:43:fe:e1:a3:e9 172.31.30.101 (ECDSA) | ||
| - | </code> | + | </code>· |
| - | ····* Otherwise you probably have no way to connect to your instance safely. Consider disposing the instance and creating a new one (you may want to use action //Launch More Like this//). | + | ···* If you do not have another trusted instance, you can create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using it's initial start log. Then collect keys of the target instance by connecting to it from the temporary instance. After that you can discard the temporary instance. |
| Start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | Start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | ||