Why does my OpenSSH key fingerprint not match the AWS EC2 console keypair fingerprint?

AWS EC2 shows the SSH2 fingerprint, not the OpenSSH fingerprint everyone expects. It doesn’t say this in the UI.

It also shows two completely different kinds of fingerprints depending on whether the key was generated on AWS and downloaded, or whether you uploaded your own public key.

Fingerprints generated with

ssh-keygen -l -f id_rsa

will not match what EC2 shows. You can either use the AWS API tools to generate a fingerprint with the ec2-fingerprint-key command, or use OpenSSL to do it.

Note that if you originally generated a key on AWS, but then uploaded it again (say, to another region) then you’ll get a different fingerprint because it’ll take the SSH2 RSA fingerprint, rather than the sha1 it shows for keys you generated on AWS.

Fun, hey? This screenshot has two copies of the same key in it with different fingerprints

In the above, test-generated was generated using AWS EC2. test-generated-reuploaded is the public key from the private key AWS generated, extracted with ssh-keygen -y and uploaded again. The third key, test-uploaded, is a locally generated key … but the local ssh-keygen -l fingerprint is b2:2c:86:d6:1e:58:c0:b0:15:97:ab:9b:93:e7:4e:ea.

$ ssh-keygen -l -f theprivatekey
2048 b2:2c:86:d6:1e:58:c0:b0:15:97:ab:9b:93:e7:4e:ea
$ openssl pkey -in theprivatekey -pubout -outform DER | openssl md5 -c
Enter pass phrase for id_landp:
(stdin)= 91:bc:58:1f:ea:5d:51:2d:83:d3:6b:d7:6d:63:06:d2

Keys uploaded to AWS

When you upload a key to AWS, you upload the public key only, and AWS shows the MD5 hash of the public key.

You can use OpenSSL, as demonstrated by Daniel on the AWS forums, to generate the fingerprint in the form used by AWS to show fingerprints for uploaded public keys (SSH2 MD5), like:

7a:58:3a:a3:df:ba:a3:09:be:b5:b4:0b:f5:5b:09:a0

If you have the private key, you can generate the fingerprint by extracting the public part from the private key and hashing it using:

openssl pkey -in id_rsa -pubout -outform DER | openssl md5 -c

If you only have the public key, and it is in OpenSSH format, you need to first convert it to PEM and then DER and then hash, using:

ssh-keygen -f id_rsa.pub -e -m PKCS8 | openssl pkey -pubin -outform DER | openssl md5 -c

Keys generated on AWS

When you generate a keypair on AWS, AWS shows the SHA1 hash of the private key, which is longer, like:

ea:47:42:52:2c:25:43:76:65:f4:67:76:b9:70:b4:64:12:00:e4:5a

In this case you need to use the following command, also shown by Daniel on the AWS forums, to generate a sha1 hash based on the private key:

openssl pkcs8 -in aws_private.pem -nocrypt -topk8 -outform DER | openssl sha1 -c

on the downloaded AWS-generated private key/certificate file. It’ll work on keys you converted to OpenSSH format too. This does, however, require that you have the private key, since the hash is of the private key. You cannot generate the hash locally if all you have is the public key.

References

See:

Related Posts:

  1. Git: How to solve Permission denied (publickey) error when using Git?
  2. ssh: The authenticity of host ‘hostname’ can’t be established
  3. How to solve “sign_and_send_pubkey: signing failed: agent refused operation”?
  4. Git error: “Host Key Verification Failed” when connecting to remote repository
  5. “Add correct host key in known_hosts” / multiple ssh host keys per hostname?
  6. What’s the difference between authorized_keys and authorized_keys2?
  7. What significance does the user/host at the end of an SSH public key file hold?
  8. How do I validate an RSA SSH public key file (id_rsa.pub)?
  9. SSH Allow Password For One User, Rest Only Allow Public Keys [duplicate]
  10. Putty: Getting Server refused our key Error
  11. Copying a local file from Windows to a remote server using scp
  12. ssh “permissions are too open” error
  13. ssh: The authenticity of host ‘hostname’ can’t be established
  14. Permission denied (publickey,keyboard-interactive)
  15. How to deal with “Pseudo-terminal will not be allocated because stdin is not a terminal.”
  16. What is actually in known_hosts?
  17. ‘heroku’ does not appear to be a git repository
  18. How to fix request failed on channel 0
  19. How to scp in Python?
  20. Forward X11 failed: Network error: Connection refused
  21. PuTTY PSCP error “Local to local copy not supported” when username contains a slash
  22. Starting ssh-agent on Windows 10 fails: “unable to start ssh-agent service, error :1058”
  23. Convert PEM to PPK file format
  24. Copying files using rsync from remote server to local machine
  25. How to read iPhone files without jailbreaking?
  26. SSH to Vagrant box in Windows?
  27. How to use Sublime over SSH
  28. Use qdel to delete all my jobs at once, not one at a time
  29. EC2 ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
  30. Automating command/script execution using PuTTY
  31. Public and Private Keys are Incorrect for user
  32. How to automate SSH login with password?
  33. ssh returns “Bad owner or permissions on ~/.ssh/config”
  34. How do I change my private key passphrase?
  35. Create a public SSH key from the private key?
  36. Permission denied (publickey). SSH from local Ubuntu to Amazon EC2 server
  37. How do diff over ssh?
  38. SSH use only my password, Ignore my ssh key, don’t prompt me for a passphrase
  39. ssh-agent forwarding and sudo to another user
  40. Non interactive git clone (ssh fingerprint prompt) [duplicate]
  41. How to check sshd log?
  42. What does “Warning: untrusted X11 forwarding setup failed: xauth key data not generated” mean when ssh’ing with -X?
  43. Is my password compromised because I forgot to hit Enter after ssh username?
  44. How do I make ssh fail rather than prompt for a password if the public-key authentication fails?
  45. ssh-keygen does not create RSA private key
  46. OpenSSH: Difference between internal-sftp and sftp-server
  47. how do you create an ssh key for another user?
  48. SSH Suddenly returning Invalid format
  49. How can I prevent the warning No xauth data; using fake authentication data for X11 forwarding?
  50. How to recover from “Too many Authentication Failures for user root”
  51. SFTP logging: is there a way?
  52. Login without running bash_profile or bashrc
  53. How do I do Multihop SCP transfers between machines?
  54. scp without known_hosts check
  55. How can I run arbitrarily complex command using sudo over ssh?
  56. Add comment to existing SSH public key
  57. ssh connection takes forever to initiate, stuck at “pledge: network”
  58. What is the benefit of not allocating a terminal in ssh?
  59. bad ownership or modes for chroot directory component
  60. Why Block Port 22 Outbound?
  61. Ansible stuck on gathering facts
  62. Is it possible to use rsync over sftp (without an ssh shell)?
  63. Why is SSH password authentication a security risk?
  64. ssh : Permission denied (publickey,gssapi-with-mic)
  65. Could not open a connection to your authentication agent
  66. How to establish ssh key pair when “Host key verification failed”
  67. AWS – Disconnected : No supported authentication methods available (server sent :publickey)
  68. What is difference between Lightsail and EC2?
  69. Using putty to scp from windows to Linux
  70. mysql_config not found when installing mysqldb python interface
  71. SSH -X “Warning: untrusted X11 forwarding setup failed: xauth key data not generated”
  72. X11 forwarding request failed on channel 0
  73. mysql_config not found when installing mysqldb python interface
  74. Pseudo-terminal will not be allocated because stdin is not a terminal
  75. How to specify the private SSH-key to use when executing shell command on Git?
  76. Getting stty: standard input: Inappropriate ioctl for device when using scp through an ssh tunnel
  77. Copying files from server to local computer using SSH
  78. Error “You must specify a region” when running any aws CLI command
  79. SCP Permission denied (publickey). on EC2 only when using -r flag on directories
  80. Configure WordPress to connect to Mysql DB using SSH tunneling
  81. Failure to establish connection when provisioning via ansible-playbook server.yml
  82. Unable to update WordPress or install plugins/themes
  83. SSH Server with WordPress
  84. AWS Lightsail WordPress – connect to database on instance using mysqli
  85. Configuring WordPress permissions for easy updates
  86. SSH git — How to pull a folder from repo, but not delete other directories & files on deployment server [closed]
  87. How do I tell Git for Windows where to find my private RSA key?
  88. How to reconnect to a disconnected ssh session
  89. Keeping a linux process running after I logout
  90. How can I upgrade to Java 1.8 on an Amazon Linux Server?
  91. Why do consoles sometimes hang forever when SSH connection breaks?
  92. Amazon EC2 terminology – AMI vs. EBS vs. Snapshot vs. Volume
  93. How to check if an RSA public / private key pair match
  94. How to change an EC2 instance’s security group
  95. How can I automatically change directory on ssh login?
  96. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  97. Does getting disconnected from an SSH session kill your programs?
  98. What Linux distribution is the Amazon Linux AMI based on?
  99. How can I fully log all bash scripts actions?
  100. How to get a .pem file from ssh key pair?

Leave a Comment