By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Import ed25519-sk key in EC2

0

Hi ! I saw in EC2 that ed25519 keys are supported ; I tried generating a keypair on my Yubikey (SSH FIDO key) and importing the public key as an EC2 key but it fails. According to the error message the key must be ssh-ed25519, but the key generated on yubikey is sk-ssh-ed25519. Is there a way to import it ? Thanks

Topics
Security, Identity, & ComplianceCompute
Tags
AWS Key Management ServiceAmazon EC2
Language
English
asked 9 months ago412 views
3 Answers
0

Hi

I tried but this doesn't output a correct format for EC2 key

ssh-keygen -e -f ~/.ssh/id_ed25519_sk.pub -m "RFC4716" > ~/.ssh/id_ed25519.pub

Output begins with ---- BEGIN SSH2 PUBLIC KEY ---- with is not the one expected

answered 9 months ago
-1

Hi,

Follow the guidance of section Use a third-party tool to generate a key pair, and then transfer the public key to Amazon EC2 in https://allcode.com/creating-a-new-aws-ec2-key-for-a-third-party-developer/ to achieve what you want.

Best,

Didier

AWS
EXPERT
answered 9 months ago
-1

this could be down to ECT supporting the ssh-ed25519 key type, but it doesn't directly support the sk-ssh-ed25519 key type, which is the format used for security key (Yubikey) SSH keys.

The sk-ssh-ed25519 key type is a specific format used for security keys that include a "security key" (sk) marker in the key type. This is to differentiate them from regular ssh-ed25519 keys that are not associated with a security key.

To import a Yubikey (or other security key) SSH public key to EC2, you'll need to convert the key format from sk-ssh-ed25519 to ssh-ed25519. Here's how you can do that:

  1. Obtain the public key from your Yubikey

    • Connect your Yubikey to your computer.
    • Use the ssh-keygen command to extract the public key: 
      ssh-keygen -L -f ~/.ssh/id_ed25519_sk.pub
    • This will display the public key in the sk-ssh-ed25519 format.

  2. Convert the key format

    • You can use the ssh-keygen command to convert the key format from sk-ssh-ed25519 to ssh-ed25519: 
      ssh-keygen -e -f ~/.ssh/id_ed25519_sk.pub -m "RFC4716" > ~/.ssh/id_ed25519.pub
    • This will create a new file ~/.ssh/id_ed25519.pub containing the public key in the ssh-ed25519 format.

  3. Import the converted public key to EC2

    • In the AWS Management Console, navigate to the EC2 service.
    • Go to the "Key Pairs" section and click on "Import key pair".
    • Give the key pair a name and paste the contents of the ~/.ssh/id_ed25519.pub file into the "Public key contents" field.
    • Click "Import key pair" to add the key to your EC2 environment.

Now you should be able to use the imported ssh-ed25519 key to connect to your EC2 instances using your Yubikey for authentication.

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content