AWS ssh access 'Permission denied (publickey)' issue

How to connect to a AWS instance through ssh?

I have:

1. Signed up at AWS;

2. Created a public key and a certificate at AWS website and saved them to disk;

3. Went to my console and created environment variables:

    $ export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/
    $ export EC2_CERT=/home/default/aws/cert-EBAINCRNWHDSCWWIHSOKON2YWGJZ5LSQ.pem
    $ export EC2_PRIVATE_KEY=/home/default/aws/pk-EBAINCRNWHDSCWWIHSOKON2YWGJZ5LSQ.pem
   

4. Told AWS API to use this keypair and saved the keypair to file:

    $ ec2-add-keypair ec2-keypair > ec2-keypair.pem
   

5. Started an AWS Ubuntu 9 instance using this keypair:

    $ ec2-run-instances ami-ed46a784 -k ec2-keypair
   

6. Attempted to establish a ssh connection to the instance:  

    $ ssh -v -i ec2-keypair.pem [email protected]
    OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to ec2-174-129-185-190.compute-1.amazonaws.com [174.129.185.190] port 22.
    debug1: Connection established.
    debug1: identity file ec2-keypair.pem type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5ubuntu1
    debug1: match: OpenSSH_5.1p1 Debian-5ubuntu1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'ec2-174-129-185-190.compute-1.amazonaws.com' is known and matches the RSA host key.
    debug1: Found key in /home/default/.ssh/known_hosts:11
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Trying private key: ec2-keypair.pem
    debug1: read PEM private key done: type RSA
    debug1: Authentications that can continue: publickey
    debug1: No more authentication methods to try.
    Permission denied (publickey).
   

What could be the problem and how to make it work?

For Ubuntu instances:

chmod 600 ec2-keypair.pem
ssh -v -i ec2-keypair.pem ubuntu@ec2-174-129-185-190.compute-1.amazonaws.com

For other instances, you might have to use ec2-user instead of ubuntu.

Most EC2 Linux images I've used only have the root user created by default.

See also: http://www.youtube.com/watch?v=WBro0TEAd7g

Now it's:

ssh -v -i ec2-keypair.pem ec2-user@[yourdnsaddress]

Canonical's releases use the user 'ubuntu' by default for anyone landing here with a ubuntu image that is coming up with the same problem.

If you're using a Bitnami image, log in as 'bitnami'.

Seems obvious, but something I overlooked.

For my ubuntu images, it is actually ubuntu user and NOT the ec2-user ;)

Ubuntu 10.04 with openSSH

this is the exact usage:

ssh -v -i [yourkeypairfile] ec2-user@[yourdnsaddress]

for example:

ssh -v -i GSG_Keypair.pem ec2-user@ec2-184-72-204-112.compute-1.amazonaws.com

above example was taken directly from the AWS tutorial for connecting to a Linux/UNIX machine at: http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/

It will also complain if the pem file permissions are too open. chmod the file to 600 to fix that.

I was also running into this - turns out I was using a community-created AMI - and the default username was niehter root, nor was it ect-user or ubuntu. In fact, I had no idea what it was - till I tried 'root' and the server kindly asked me to login as xxx where xxx is whatever it tells you.

-cheers!

use...

# chmod 400 ec2-keypair.pem

don't use the 600 permission otherwise you might overwrite your key accidently.

You need have your private key in your local machine

You need to know the IP address or DNS name of your remote machine or server, you can get this from AWS console

If you are a linux user

• Make sure the permissions on the private key are 600 (chmod 600 <path to private key file>)
• Connect to your machine using ssh (ssh -i <path to private key file> <user>@<IP address or DNS name of remote server>)

If you are a windows user

• Use PuTTy to create the ssh session (http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.66-installer.exe)
• If your private key file is in .pem format convert it into .ppk using puttygen
• Launch PuTTy, set you ppk file, IP address or DNS name of the remote server and start the ssh session

For Debian EC2 instances, the user is admin.

If you are running AWS image from Bitnami. The username would be bitnami. Cheers!

see my debug and look at the last one:

ssh -v -i awsliferaysrta.pem.txt root@54.254.250.***

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 54.254.250.*** [54.254.250.***] port 22.
debug1: Connection established.
debug1: identity file awsliferaysrta.pem.txt type -1
debug1: identity file awsliferaysrta.pem.txt-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 05:5c:78:45:c9:39:3a:84:fe:f8:19:5d:31:48:aa:5f
debug1: Host '54.254.250.***' is known and matches the RSA host key.
debug1: Found key in /Users/macbookpro/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: awsliferaysrta.pem.txt
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to 54.254.250.*** ([54.254.250.***]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Remote: Port forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Forced command.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Please login as the user "bitnami" rather than the user "root".

*

There are 2 steps to be connected:

Chmod 400 on your private key, like this the others cannot access to your key:

chmod 400 toto.pem

To connect to your instance in SSH, you need to know the public IP address of your instance :

ssh -i toto.pem ec2-user@XX.XX.XX.XXX

Hope it helps !

this worked for me:

ssh-keygen -R <server_IP>

to delete the old keys stored on the workstation also works with instead of

then doing the same ssh again it worked:

ssh -v -i <your_pem_file> ubuntu@<server_IP>

on ubuntu instances the username is: ubuntu on Amazon Linux AMI the username is: ec2-user

I didn't have to re-create the instance from an image.

Permission for ec2-keypair.pem should be 400

chmod 400 ec2-keypair.pem

If you are using EBS, you can also try to mount the EBS Volume on a running instance. Then mount it on that running instance and see what's going on in /home. You can see things like is the user ubuntu or ec2-user ? or does it have the right public keys under ~/.ssh/authorized_keys

In my case (Mac OS X), the problem was the file's break type. Try this:

1.- Open the .pem file with TextWrangler

2.- At Bottom of app, verify if the Break Type is "Windows(CRLF)".

Its ec2-user for Amazon Linux AMI's and ubuntu for Ubuntu images. Also, RHEL 6.4 and later ec2-user RHEL 6.3 and earlier root Fedora ec2-user Centos root

Just adding to this list. I was having trouble this morning with a new user just added to an AWS EC2 instance. To cut to the chase, the problem was selinux (which was in enforcing mode), together with the fact that my user home dir was on a new EBS attached volume. Somehow I guess selinux doesn't like that other volume. Took me a while to figure out, as I looked through all the other usual ssh issues (/etc/ssh/sshd_config was fine, of course no password allowed, permissions were right, etc.)

The fix?

For now (until I understand how to allow a user to ssh to a different volume, or somehow make that volume a bona fide home dir point):

sudo perl -pi -e 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
sudo setenforce 0

That's it. Now my new user can log in, using his own id_rsa key.

Had the same issue. Permission denied (publickey) when trying to login in with 'ec2-user' or with 'root'.

Googled the AMI number of the machine image and it had the SSH login information right their on the Debian wiki page.

Hope this helps.