Re: EC2 images
On 4 July 2013 16:59, Tormod Ryeng <firstname.lastname@example.org> wrote:
> On 07/04/2013 04:44 PM, Anders Ingemann wrote:
>> On 4 July 2013 16:37, Tormod Ryeng <email@example.com> wrote:
>>> The AWS EC2 AMIs on
>>> (linked to from http://wiki.debian.org/Cloud/AmazonEC2Image) give the
>>> ECDSA key fingerprint for every instance when SSHing to the instances.
>>> host keys should be generated during the first boot-up of the instance,
>>> seem to be static.
>>> I would assume that anyone using e.g. ami-ddbeafa9 gets the fingerprint
>>> We've only tested the eu-west 64-bit AMI and some of the RightScale
>>> listed on the wiki, and they've all had the same problem.
>>> I don't know whether this is a bug in the tools used to create the images
>> Whoa, that is weird, to say the least.
>> I remove the keys when creating the ami
>> and create new ones at first boot
>> Do we have an entropy problem?!?!
> Ah, that's probably the bug, right there. I guess you'll need to remove and
> generate /etc/ssh/ssh_host_ecdsa_key as well?
> admin@ip-10-227-121-70:/etc/ssh$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key
> 256 f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc
> root@domU-12-31-39-0A-91-E9 (ECDSA)
> Tormod Ryeng
I created a pull request to my own repo:
The reason for that is that it's 00:21 in denmark. Also I'm currently
a bit drunk from an event at work and I am sure that the ballmer peak
feels different :-)
I would welcome anybodies effort to verify that it works (and also if
the bug is fixed). If so, I'll merge in the morning.
*added jimmy to list of recipients.
Jimmy and James: I would say this requires us to retract any existing
wheezy images out there and issue a statement about a potential
security risk when using Elliptic Curve cryptography to verify an SSH
host, i.e. hosts can be spoofed.
To fix it on existing machines, one can run:
ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -t ecdsa -C 'host' -N ''
@debian-security: What is procedure here? Should this thread be hidden
from the public mailing list for a while or do we just keep this