Ssh fingerprint：修订间差异

/usr/bin/ssh-copy-id: ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
ERROR: Someone could be eavesdropping on you right now (man-in-the-middle attack)!
ERROR: It is also possible that a host key has just been changed.
ERROR: The fingerprint for the RSA key sent by the remote host is
ERROR: SHA256:At9YmP/6i/yJ3nnm52ZKA8AqFo38javPlGN3Tk5mnDU.
ERROR: Please contact your system administrator.
ERROR: Add correct host key in /home/evan/.ssh/known_hosts to get rid of this message.
ERROR: Offending ECDSA key in /home/evan/.ssh/known_hosts:341
ERROR:   remove with:
ERROR:   ssh-keygen -f "/home/evan/.ssh/known_hosts" -R 192.168.1.89
ERROR: RSA host key for 192.168.1.89 has changed and you have requested strict checking.
ERROR: Host key verification failed.

明白了！如果两台 EC2 的 host key 已经相同（通过 AMI、Secrets Manager 或 user_data 统一分发），流程就简单很多。

---

## 操作步骤

### 第一步：获取 NLB 的 IP

```bash
dig +short <your-nlb-dns-name>
# 例如
dig +short my-nlb-xxxxxxxx.elb.us-east-1.amazonaws.com
```

### 第二步：用 NLB IP 扫描 host key

因为两台 EC2 key 相同，连哪个 IP 扫出来的结果都一样：

```bash
ssh-keyscan -t ed25519,rsa,ecdsa <nlb-ip>
```

### 第三步：加入非 AWS 机器的 known_hosts

```bash
ssh-keyscan -H <nlb-ip> >> ~/.ssh/known_hosts
```

如果 NLB 有多个 IP（多 AZ），每个都要加：

```bash
for ip in $(dig +short <nlb-dns-name>); do
  ssh-keyscan -H $ip >> ~/.ssh/known_hosts
done
```

---

## 验证

```bash
ssh-keygen -F <nlb-ip>
```

能看到对应记录就说明加成功了。

---

## 注意
The IPs of the NLB are **static** (one fixed IP per AZ) and do not drift like ALB IPs.  
Therefore, the known_hosts entry remains valid long-term.  
However, if the NLB is expanded to new AZs in the future, you will need to add the IPs of the new AZs to known_hosts as well.

NLB 的 IP 是**静态的**（每个 AZ 一个固定 IP），不会像 ALB 那样漂移，所以这个 known_hosts 记录长期有效。但如果以后 NLB 跨新 AZ 扩展，需要把新 AZ 的 IP 也补进去。