Why is an SSH public key being installed on my new Ubuntu 20.04.1 instance before I can log in for the first time? Am I being hacked?

You can use cloud-init to populate SSH authorized keys. However, the message clearly states:

ci-info: no authorized SSH key fingerprints found for user ubuntu

The fingerprints shown are for host keys, presented by the system to clients.


The keys in your linked image are host keys. These are not your private login key.

If we use SSL terms the host key is a bit like the SSL key in your web server. It's private and it's necessary but it's not recommended to share them between hosts so the first boot generates on on the host for you that should be unique to the host. A corresponding public key is also generated at the same time and that's the fingerprints you see there.

SSH supports several different key formats - that's why there's ECDSA, ED25519, RSA, DSA there. You can disable RSA and DSA in the /etc/ssh/ssh_config and then remove those keys if you only plan to use modern SSH clients to access it.

When you first connect to the SSH server it will send the public key(s) to your client. The client will pick the most secure it supports (and is configured to allow) from the ones presented. It will then present the fingerprint of the public key it selected. Keep your image handy and you can verify that is the fingerprint your client shows you. You are asked to verify that it really is the fingerprint for the host. The fingerprint is cached in the known_hosts file so it doesn't need to confirm with you the next time. This is basically the handraulic equivalent of your web browser checking against the CA-issued certificate and showing a padlock.

After that it will continue to select that particular public key for every new session and it will test the fingerprint against its cache. You won't be prompted again unless the fingerprint changes. You will be prompted if it changes.

Again, none of this has to do with your login keys. Nobody else can log in without your password. You will still need your password to log in until you've put your public login key in the authorized_keys file.