Recently, I have been looking into improving our access management to our EC2
instances in Naluri and came across EC2 Instance Connect features.
While experementing with it, I have learn a thing or two about
In this post, we are going to cover the following topics:
- Which private keys
- How to use only specifc private keys when
Which private keys
ssh is using?
When I was experimenting with EC2 Instance Connect, I try to ssh with private
key that is supposed to be expired, however, I can still successfully
into the application server. This seem weird. So I’ll need to find out which
private key that
ssh used to allow me to access the server. After some google
search, I found the answer here, which is:
ssh -v user@ip_address
After running the above you’ll see additional logs on what
ssh go through
before connecting to the remote server, which looks like this:
OpenSSH_7.9p1, LibreSSL 2.7.3 debug1: Reading configuration data /Users/kai/.ssh/config ... debug1: Authenticating to <ip_address>:<port> as '<user>' ... debug1: Will attempt key: /Users/kai/.ssh/id_rsa RSA SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM agent debug1: Will attempt key: RSA SHA256:klrkbMg/32KGGbqW2GCEeWIx4MQ4aYJZonF0XIexVlI agent debug1: Will attempt key: [email protected] RSA SHA256:utKcZ1r14VeHKyagE7IdqKOkZ+fWVVtk05zpl/K+tQQ agent ... debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /Users/kai/.ssh/id_rsa RSA SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM agent debug1: Server accepts key: /Users/kai/.ssh/id_rsa RSA SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM agent debug1: Authentication succeeded (publickey). Authenticated to <ip_address> (via proxy). ...
Among these logs the most relevant one are these two lines:
debug1: Offering public key: /Users/kai/.ssh/id_rsa RSA SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM agent debug1: Server accepts key: /Users/kai/.ssh/id_rsa RSA SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM agent
Here, the logs specified the fingerprint of public key
ssh used that
authenticated by the remote server. To identify which key pair is used, we’ll
need to get the fingerprint of each key pair we have. We can use
to achieve that:
ssh-keygen -lf ~/.ssh/id_rsa.pub #=> 2048 SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM [email protected] (RSA)
If the fingerprint match (as in this case), than you got it. You know that is the key pair that successfully get accepted by the remote server. However, if it doesn’t match, try to get the fingerprint of other ssh key pair you have used before.
How to use only specific keys when
I wanted to test out if I could still ssh in to the remote server after my SSH key is expired my EC2 Instance Connect. However, if I just use:
# my_rsa_key is expired by now ssh -i my_rsa_key user@ip_address
I would always successfully ssh into the remote server (since I have another
public key placed in the server) . So in order to prevent
ssh to attempt other public key that might be accepted the remote server, we
need to tell
ssh to only use the identity file we provide, which can be done
# Note that I am passing private key file ssh -o IdentitiesOnly=yes -i my_rsa_key user@ip_address
ssh will only attempt to use the identity file you provided in the
command. However, do note that if the file does not exist,
ssh will still
attempt to use all the identity files you have.
Here, I am just sharing another new things I learn from the internet . Hope it helps!