2

My normal backup process is to create a new AMI from an EC2 instance I have running Amazon's linux. This is convenient because the EC2 console automatically shuts down the node , makes a copy and brings the old node back up.

The odd thing is that upon starting up the cloned EC2 node, I noticed its ssh host public key has a different fingerprint.

What part of cloning is setting off new ssh host key pairs getting generated.

This is slightly worrisome, because I had created new SSH keypairs into the box and removed the ones Amazon generated and so I do not think Amazon's cloning process could have reached in and done this.

Answer I am looking for: do you know what script on the Amazon Linux does this?

HeyWatchThis
  • 123
  • 4

1 Answers1

2

Most likely host key changed, not the ssh public/private key pair.

https://www.ibm.com/developerworks/community/blogs/brian/entry/ssh_host_keys_know_when_to_keep_em_and_when_to_change_them4?lang=en

All host keys should be unique, even clones, except in certain high availability scenarios so amazon probably regenerates these after cloning.

You should just need to remove the line in your ~/.ssh/known_hosts file and you will be good to go.

MattPark
  • 303
  • 5
  • 20
  • I agree clones should have unique host keys, but where does Amazon make this happen. – HeyWatchThis May 02 '13 at 17:18
  • Supposedly there is a cloud-init package that amazon installs for EC2. http://technodrone.blogspot.com/2013/01/the-ssh-key-problem-with-cloned-linux.html --see comments section If the package is in fact installed you could run `dpkg -L cloud-init` to find out what files the package touches. – MattPark May 02 '13 at 17:20
  • This should not affect your ability to ssh to the box or anything. It is just a warning. Depending on your /etc/ssh/ssh_config though it can be made a fatal error. – MattPark May 02 '13 at 17:22
  • 1
    ah you're right cloud-init – HeyWatchThis May 02 '13 at 17:35