Easier EC2 Logins
2010-01-20
With the addition of the new Northern California region to EC2 I ran into a problem: I had too many keys in my SSH Agent. To fix it I came up with the (somewhat imperfect) solution of removing the EC2 keys from my SSH Agent and moving the logic to the ssh config file; I’ve also written some regular expressions that pick the key automatically based on the hostname (or, if you’re using IPs, imperfectly matches the EC2 subnets).
This solution also skips hostkey checking since our instances have a maximum life of a few hours so there’s no point keeping the old hostkey fingerprints around.
Here’s an excerpt from my .ssh/config file
# Default params
Host *
HashKnownHosts no
StrictHostKeyChecking no
ConnectTimeout 15
ForwardAgent yes
RSAAuthentication yes
PasswordAuthentication yes
HostBasedAuthentication no
ForwardX11 yes
#
# Amazon EC2 hosts
#
# EC2 Northern Virginia
# 216.182.224.0/20
# 72.44.32.0/19
# 67.202.0.0/18
# 75.101.128.0/17
# 174.129.0.0/16
# 204.236.224.0/19
Host *.compute-1.amazonaws.com 174.129.* 204.236.2[23]?.* 67.202.* 75.101.[12]??.* 216.182.2[23]?.* 72.44.[3456]?.*
User root
CheckHostIP no
IdentityFile ~/.keys/ssh/ec2/us_east_1.key
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
IdentitiesOnly yes
ForwardAgent no
# EC2 Northern California:
# 204.236.128.0/18
Host *.us-west-1.compute.amazonaws.com 204.236.1??.*
User root
CheckHostIP no
IdentityFile ~/.keys/ssh/ec2/us_west_1.key
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
IdentitiesOnly yes
ForwardAgent no
# EC2 Ireland:
# 79.125.0.0/17
Host *.eu-west-1.compute.amazonaws.com 79.125.?.* 79.125.??.* 79.125.1[012]?.*
User root
CheckHostIP no
IdentityFile ~/.keys/ssh/ec2/eu_west_1.key
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
IdentitiesOnly yes
ForwardAgent no