/usr/bin/ssh-copy-id: ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
ERROR: Someone could be eavesdropping on you right now (man-in-the-middle attack)!
ERROR: It is also possible that a host key has just been changed.
ERROR: The fingerprint for the RSA key sent by the remote host is
ERROR: SHA256:At9YmP/6i/yJ3nnm52ZKA8AqFo38javPlGN3Tk5mnDU.
ERROR: Please contact your system administrator.
ERROR: Add correct host key in /home/evan/.ssh/known_hosts to get rid of this message.
ERROR: Offending ECDSA key in /home/evan/.ssh/known_hosts:341
ERROR: remove with:
ERROR: ssh-keygen -f "/home/evan/.ssh/known_hosts" -R 192.168.1.89
ERROR: RSA host key for 192.168.1.89 has changed and you have requested strict checking.
ERROR: Host key verification failed.
明白了!如果两台 EC2 的 host key 已经相同(通过 AMI、Secrets Manager 或 user_data 统一分发),流程就简单很多。
---
## 操作步骤
### 第一步:获取 NLB 的 IP
```bash
dig +short <your-nlb-dns-name>
# 例如
dig +short my-nlb-xxxxxxxx.elb.us-east-1.amazonaws.com
```
### 第二步:用 NLB IP 扫描 host key
因为两台 EC2 key 相同,连哪个 IP 扫出来的结果都一样:
```bash
ssh-keyscan -t ed25519,rsa,ecdsa <nlb-ip>
```
### 第三步:加入非 AWS 机器的 known_hosts
```bash
ssh-keyscan -H <nlb-ip> >> ~/.ssh/known_hosts
```
如果 NLB 有多个 IP(多 AZ),每个都要加:
```bash
for ip in $(dig +short <nlb-dns-name>); do
ssh-keyscan -H $ip >> ~/.ssh/known_hosts
done
```
---
## 验证
```bash
ssh-keygen -F <nlb-ip>
```
能看到对应记录就说明加成功了。
---
## 注意
The IPs of the NLB are **static** (one fixed IP per AZ) and do not drift like ALB IPs.
Therefore, the known_hosts entry remains valid long-term.
However, if the NLB is expanded to new AZs in the future, you will need to add the IPs of the new AZs to known_hosts as well.
NLB 的 IP 是**静态的**(每个 AZ 一个固定 IP),不会像 ALB 那样漂移,所以这个 known_hosts 记录长期有效。但如果以后 NLB 跨新 AZ 扩展,需要把新 AZ 的 IP 也补进去。