How to connect to AWS EC2 instance with *.pem file #423

compfaculty · 2021-11-25T10:28:29Z

compfaculty
Nov 25, 2021

I've tried to connect like this and got Host key is not trusted . How to connect AWS EC2 in common using *.pem?

async def run_client(host, command):
    async with asyncssh.connect(host, username="ubuntu", client_keys=["~/.ssh/automation.pem"]) as conn:
        return await conn.run(command)

Answered by ronf

Nov 25, 2021

This error is about the host key, not the client keys. To get rid of the error, you'll either need to collect the public keys associated with all of the hosts you are trying to connect to and add them to a "known_hosts" file, or you'll need to disable host key validation by passing in known_hosts=None, but that leaves you open to a man-in-the-middle attack.

You can collect the host key from a system and using a call like:

    host_key = await asyncssh.get_server_host_key(host)

Once you have the server's key, you'd ideally want to verify that it is one you should trust, and then you could add it to the known_hosts file using something like:

    host_key.append_public_key('~/.ssh/known_hosts')

View full answer

ronf · 2021-11-25T15:46:05Z

ronf
Nov 25, 2021
Maintainer

This error is about the host key, not the client keys. To get rid of the error, you'll either need to collect the public keys associated with all of the hosts you are trying to connect to and add them to a "known_hosts" file, or you'll need to disable host key validation by passing in known_hosts=None, but that leaves you open to a man-in-the-middle attack.

You can collect the host key from a system and using a call like:

    host_key = await asyncssh.get_server_host_key(host)

Once you have the server's key, you'd ideally want to verify that it is one you should trust, and then you could add it to the known_hosts file using something like:

    host_key.append_public_key('~/.ssh/known_hosts')

Note: you should do this only once per host, or you are going to end up with an ever-growing known_hosts file with duplicate entries in it. For instance, you might want to do something like this as one of the steps you take every time you create a new AWS EC2 instance, rather than every time you connect to it.

If you can somehow get AWS to give you the new instance's SSH host public key as part of the instance creation process, that's even better, as that would be more trustworthy than just connecting to the host and asking for it (which could still be subject to man-in-the-middle on that get_server_host_key() call). I don't have any first-hand experience doing this with AWS, but here's one thread which might be helpful:

https://stackoverflow.com/questions/23331014/aws-ec2-safe-way-to-get-host-public-key

If you took the host public keys you acquire from this and add them to .ssh/known_hosts on the system you are connecting from, that should avoid the untrusted host key here without subjecting you to a man-in-the-middle attack.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to connect to AWS EC2 instance with *.pem file #423

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

How to connect to AWS EC2 instance with *.pem file #423

compfaculty Nov 25, 2021

Replies: 1 comment

ronf Nov 25, 2021 Maintainer

compfaculty
Nov 25, 2021

ronf
Nov 25, 2021
Maintainer