Ssh fingerprint
跳转到导航
跳转到搜索
/usr/bin/ssh-copy-id: ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ERROR: @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ERROR: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! ERROR: Someone could be eavesdropping on you right now (man-in-the-middle attack)! ERROR: It is also possible that a host key has just been changed. ERROR: The fingerprint for the RSA key sent by the remote host is ERROR: SHA256:At9YmP/6i/yJ3nnm52ZKA8AqFo38javPlGN3Tk5mnDU. ERROR: Please contact your system administrator. ERROR: Add correct host key in /home/evan/.ssh/known_hosts to get rid of this message. ERROR: Offending ECDSA key in /home/evan/.ssh/known_hosts:341 ERROR: remove with: ERROR: ssh-keygen -f "/home/evan/.ssh/known_hosts" -R 192.168.1.89 ERROR: RSA host key for 192.168.1.89 has changed and you have requested strict checking. ERROR: Host key verification failed.
明白了!如果两台 EC2 的 host key 已经相同(通过 AMI、Secrets Manager 或 user_data 统一分发),流程就简单很多。 --- ## 操作步骤 ### 第一步:获取 NLB 的 IP ```bash dig +short <your-nlb-dns-name> # 例如 dig +short my-nlb-xxxxxxxx.elb.us-east-1.amazonaws.com ``` ### 第二步:用 NLB IP 扫描 host key 因为两台 EC2 key 相同,连哪个 IP 扫出来的结果都一样: ```bash ssh-keyscan -t ed25519,rsa,ecdsa <nlb-ip> ``` ### 第三步:加入非 AWS 机器的 known_hosts ```bash ssh-keyscan -H <nlb-ip> >> ~/.ssh/known_hosts ``` 如果 NLB 有多个 IP(多 AZ),每个都要加: ```bash for ip in $(dig +short <nlb-dns-name>); do ssh-keyscan -H $ip >> ~/.ssh/known_hosts done ``` --- ## 验证 ```bash ssh-keygen -F <nlb-ip> ``` 能看到对应记录就说明加成功了。 --- ## 注意 The IPs of the NLB are **static** (one fixed IP per AZ) and do not drift like ALB IPs. Therefore, the known_hosts entry remains valid long-term. However, if the NLB is expanded to new AZs in the future, you will need to add the IPs of the new AZs to known_hosts as well. NLB 的 IP 是**静态的**(每个 AZ 一个固定 IP),不会像 ALB 那样漂移,所以这个 known_hosts 记录长期有效。但如果以后 NLB 跨新 AZ 扩展,需要把新 AZ 的 IP 也补进去。