Re: EC2 images

[Tormod Ryeng <tormod@tormod.no>]

On 07/04/2013 04:44 PM, Anders Ingemann wrote:
> On 4 July 2013 16:37, Tormod Ryeng <tormod@tormod.no> wrote:
> > The AWS EC2 AMIs on
> > https://aws.amazon.com/marketplace/seller-profile/ref=srh_res_product_vendor?ie=UTF8&id=890be55d-32d8-4bc8-9042-2b4fd83064d5
> > (linked to from http://wiki.debian.org/Cloud/AmazonEC2Image) give the same
> > ECDSA key fingerprint for every instance when SSHing to the instances. The
> > host keys should be generated during the first boot-up of the instance, but
> > seem to be static.
> >
> > I would assume that anyone using e.g. ami-ddbeafa9 gets the fingerprint
> > f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc.
> >
> > We've only tested the eu-west 64-bit AMI and some of the RightScale images
> > listed on the wiki, and they've all had the same problem.
> >
> > I don't know whether this is a bug in the tools used to create the images or
> > not.

> Whoa, that is weird, to say the least.
> I remove the keys when creating the ami
> (https://github.com/andsens/build-debian-cloud/blob/master/tasks/60-cleanup)
> and create new ones at first boot
> (https://github.com/andsens/build-debian-cloud/blob/master/init.d/generate-ssh-hostkeys).
> Do we have an entropy problem?!?!

Ah, that's probably the bug, right there. I guess you'll need to remove 
and generate /etc/ssh/ssh_host_ecdsa_key as well?

admin@ip-10-227-121-70:/etc/ssh$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key
256 f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc 
root@domU-12-31-39-0A-91-E9 (ECDSA)

--
Regards,
Tormod Ryeng