By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

PLEASE HELP: Offending ECDSA key

0

Hi, I had stopped and started my AWS Lightstail instance (built on Linux OS) and afterwards it says "Error establishing a database connection."

Could you please give me some advice on which actions to take, as my whole website is down now and no customers can use services any more.

My programmer says he saw this when using PEM key: "Please contact your system administrator. Add correct host key in /Users/sid/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /Users/sid/.ssh/known_hosts:3 ECDSA host key for braindocacademy.com.au has changed and you have requested strict checking. Host key verification failed."

Really appreciate it. :) Carl

Topics
Security, Identity, & ComplianceCompute
Tags
AWS Key Management ServiceAmazon Lightsail
Language
English
Carl
asked a year ago200 views
1 Answer
0

Carl,

It sounds like your database either failed to come up or the connection to your database is misconfigured. Have you taken the actions suggested in the answer to your previous question?

https://repost.aws/questions/QUgTQynzqTQJONB2RsQ_t0AQ/urgent-assistance-error-establishing-a-database-connection

The logs on the instance will most likely help you troubleshoot the issue, however it seems like you are having trouble logging into the instance. Have you tried using the web-based SSH feature? It should bypass the known_hosts issue you are having.

The most common reason for a known_hosts mismatch is that the underlying server was re-built or ssh was re-initialized on that host between the time the host key was observed by your client (looks like MacOSX ssh) and now. Is it possible that braindocacademy.com.au was pointing at a different instance in the past? Note, however, that this mechanism is designed to detect MITM attacks where someone is spoofing your machine to trick you into logging into a box that they control, so caution is warranted.

If you are sure that no attack is in progress, the best/fastest solution to this is to delete that line from your known_hosts file (line 3 according to your error message). After you do this and when you re-establish your ssh connection you will be prompted to validate the new host key. To excersize caution you can independently verify that the host key signature is valid by using the web-based ssh on your target instance and issuing the following command:

ssh-keygen -E md5 -lf <(ssh-keyscan localhost 2>/dev/null)

It will output something like this:

2048 MD5:6f:ea:9e:89:5f:d4:42:76:63:27:23:b4:a7:ef:e7:73 localhost (RSA)
256 MD5:36:8b:e2:0e:67:a0:9d:1c:fb:d0:a9:e2:6c:9a:8c:40 localhost (ECDSA)
256 MD5:0d:75:33:c6:b9:cf:33:e2:58:4e:9d:fd:e9:12:79:19 localhost (ED25519)

You should check that the signature presented when logging in via your ssh client is the same as one of the key signature listed above.

If Lightsail's web-based ssh detects a host-key change it will prompt you for a decision about whether or not to honor the new host key. Because connection to your host in a web-based ssh session is made from internal Amazon servers directly to your Lightsail server it is usually safe to accept the new signature.

I hope this helps!

profile pictureAWS
donleyataws
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content