Recently I set up a new EC2 instance. The next day I was not able to connect to my instance via ssh. I could connect and disconnect the day before, I am sure I did nothing. Here is ssh debug info:
ssh -i webserver.pem -v ubuntu#my.elastic.ip
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to my.elastic.ip [my.elastic.ip] port 22.
debug1: Connection established.
debug1: identity file webserver.pem type -1
debug1: identity file webserver.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
Connection closed by my.elastic.ip
Is there a way to resolve this issue? Or shall I reinstall my instance again?
PS rights to my .pem are set to 600.
My problem was that the username was incorrect. On ubuntu instances it should be "ubuntu" and on amazon instances it should be "ec2-user".
Often times, you should use the default user name for the AMI that you used to launch your instance:
For Amazon Linux 2 or the Amazon Linux AMI, the user name is
ec2-user.
For a CentOS AMI, the user name is centos.
For a Debian AMI, the user name is admin or root.
For a Fedora AMI, the user name is ec2-user or fedora.
For a RHEL AMI, the user name is ec2-user or root.
For a SUSE AMI, the user name is ec2-user or root.
For an Ubuntu AMI, the user name is ubuntu.
Otherwise, if ec2-user and root don't work, check with the AMI provider.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connection-prereqs.html#connection-prereqs-get-info-about-instance
Please check your username. if you are using ubuntu instance try using "ubuntu" in username instead of "ec2-user", and vice-versa
Check your security group. Make sure that you have an outbound rule that allows traffic to return from the instance.
With the default outbound rule
type: All traffic, Protocol: All, Ports: All, Destination: 0.0.0.0/0
it will work.
(1) Please check when you execute the ssh command, are you in the same folder where you put your pem key. Else you should use "ssh -i /your_key_path /mykey.pem".
(2) If that doesn't help. I think you could create another key and set your EC2 instance through AWS webpage. Then try again.
I had this problem and it turned out the PEM file was incorrect. You can check following the instructions in Amazon EC2 Key Pairs - Verifying Your Key Pair's Fingerprint:
If you created your key pair using AWS, you can use the OpenSSL tools to generate a fingerprint from the private key file:
$ openssl pkcs8 -in path_to_private_key -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c
If you created your key pair using a third-party tool and uploaded the public key to AWS, you can use the OpenSSL tools to generate a fingerprint from the private key file on your local machine:
$ openssl rsa -in path_to_private_key -pubout -outform DER | openssl md5 -c
The output should match the fingerprint that's displayed in the console.
I had the same issue, Its the problem of the permissions you give to pem private key file. Make sure you run ssh command in the terminal with the sudo (Administrative) Access.
I have the same issue but i fixed it by "restarting" the EC2. Note that restarting EC2 does not change its IP address but stopping and starting it again does change it.
It was an easy fix but make sure you can bear the small downtime. In my case website stopped working suddenly.
Solved this issue by creating a new private key file/pair.
The problem arose while I wanted to reuse an existing key a few days after its creation.
Then, just use the commands provided here
I had this problem with an ubuntu vm, so:
the security groups with 22/tcp access was ok
the user name is ubuntu, ok
accessed using the pem key and
/var/log/auth.log was showing the session end in the preauth stage (not ok)
Noticed there's a missing package: ec2-instance-connect (ref: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-connect-troubleshooting/) (not ok)
sudo apt install ec2-instance-connect
After that, got access through instance connect
I had this problem when using EC2 instance connect. I finally could connect after downgrading my Ubuntu version from 22 to 20.
Related
I reformatted my macbook and completely forgot to copy my ~/.ssh directory.
I tried ssh'ing into my EC2 instance
$ ssh ec2-user#xx.xxx.xxx.xx -i xxx.pem -v
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to xx.xxx.xxx.xx [xx.xxx.xxx.xx] port 22.
debug1: connect to address xx.xxx.xxx.xx port 22: Operation timed out
ssh: connect to host xx.xxx.xxx.xx port 22: Operation timed out
But I presume it's not working because my PEM file is linked to the id_rsa file on my old laptop?
I had the PEM file in my google drive.
I've tried
sudo chmod 400 xxx.pem
Update my security group to allow SSH access
to my new laptop
Any ideas how I can regain access to my EC2 insance?
I would generate a new key pair as explain here, but it requires me to have access to the instance
Update: check #jordanm comment. You have no connection to the instance, maybe there is no need to create a new one.
As far as I know there is only way to create a new one. You can keep data if you make an image of your existing instance. You may have changed external IP if your instance has no elastic IP attached.
Login to AWS Console
Create a new key pair.
Select your EC2 instance in the list, in the top-left corner select Actions -> Image and templates -> Create image. Fill the form to create an image.
Launch a new instance using the image you've created and your new key.
(optional) If everything is in place consider terminating the original instance using console.
I'm trying to copy file from my local to Aws EC1 or EC2.
my detailed setup.
Created two EC2 instances.
Got .pem file (Private key) from AWS consle.
Generated private key from .pem file (step2).
Able to connect EC1 and EC2 using private key generated in step 3.
Copied .pem file in EC1 and EC2 servers, by doing that am able to copy files in between EC1 and 2 aws servers.
Now I want to copy the file from my local machine to AWS EC1 and EC2 serves.
But when am trying to do below command (using public DNS):
ssh ubuntu#ec2-18-222-170-204.us-east-2.compute.amazonaws.com
getting below error
Permission denied (publickey)
And when I do it using Private DNS:
ssh ubuntu#ip-172-31-43-162.us-east-2.compute.internal
getting below error:
ssh: Could not resolve hostname ip-172-31-43-162.us-east-2.compute.internal: Name or service not known
what should I do to fix this or make it work?
Output
OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "ip-172-31-43-162.us-east-2.compute.internal" port 22
ssh: Could not resolve hostname ip-172-31-43-162.us-east-2.compute.internal: Name or service not known
First thing, ssh ubuntu#ip-172-31-43-162.us-east-2.compute.internal this will only work within VPC, as its private IP and your local system will never able to resolve this DNS until you connect with some VPN from that VPC.
It's not a security group issue, your instance is reachable.
You should post debugs log for ssh ubuntu#ec2-18-222-170-204.us-east-2.compute.amazonaws.com, you can get debug log using ssh -v ubuntu#ec2-18-222-170-204.us-east-2.compute.amazonaws.com
But I am sure it's not picking the pem file from right location. Two possible reason
set chmod 400 your.pem and then try to connect
specify the key in your ssh command
ssh -i path_to_key/private.pem ubuntu#ec2-18-222-170-204.us-east-2.compute.amazonaws.com
Might be possible user ubuntu not exist in that case you can try with root and AWS will return the user which can ssh to that server.
You can also get ssh command for AWS ec2 console. -> Select Instance and click connect, copy the command and try to connect.
I want to make an SSH connection from my own terminal, not from the browser-based command line interface Amazon provides. How do I know what username and host to use in my SSH command? So far, I'm unable to connect via SSH. I believe I am using the key correctly, but I am getting "permission denied (publickey)".
I have set 400 permissions for the private key file.
Can I use the public IP for the host? Is the username "ubuntu"? Something else?
Right now you can run only two base OS in LightSail:
Amazon Linux 2016.09.0
Default user: ec2-user
Ubuntu 16.04 LTS
Default user: ubuntu
The host name is the public IP, according to step #4 of the documentation at https://lightsail.aws.amazon.com/ls/docs/how-to/article/lightsail-how-to-set-up-putty-to-connect-using-ssh
While creating an EC2 instance, let AWS create the key, download to local Mac, then chmod 400 my-key.pem.
At the local terminal:
ssh -i "my-key.pem" ubuntu#<public DNS>
The authenticity of host '<public DNS> (<public ip>)' can't be established.
ECDSA key fingerprint is SHA256:GO...4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '<public DNS>,<public ip>' (ECDSA) to the list of known hosts.
ssh_packet_read: Connection closed
$ssh -i "my-key.pem" ubuntu#<public DNS>
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-92-generic x86_64)
...
ubuntu#ip-<private ip>:~$ls
ubuntu#ip-<private ip>:~$
I am confused as to what has happened. First why the authenticity of host could not be established, after all I got this key from AWS when creating another instance and used the same key to connect to this instance which when this instance was created, it was given the same key pair name.
When answering 'yes' to the question, what exactly did it do?
after all the key is chmod to 400, so no write access.
What is the high level description of what went on between the local machine ssh and AWS?
Thanks
Replace ubuntu with onetick in:
ssh -i "keyfile.pem" ubuntu#[public DNS]
to
ssh -i "keyfile.pem" onetick#[public DNS]
I have started an EC2 instance that I cannot connect to using PuTTY. I'm using a key pair that I created using PuTTYgen and then imported to AWS. I have specified the private key file on the client side in Connection -> SSH -> Auth. I have SSH on port 22 selected for PuTTY. The EC2 instance has a single security group, and this group has an inbound rule allowing TCP on port 22 from my home laptop's IP address. Still no joy when I try to connect.
In the PuTTY window I see this:
Using username "ec2-user".
Server refused our key
Also an error dialogue box pops up with this message:
Disconnected: No supported authentication methods available (server sent publickey)
What other things should I look into or do differently? I have been successful with this before so I know that it can work, but apparently I've forgotten one or more pieces of the puzzle.
Which Linux distribution are you using? ec2-user is only valid for Amazon Linux. If you use another Linux distribution user is root or ubuntu (for Ubuntu Linux).
For any future searchers having this problem, I found one more issue. I downloaded the .pem key from AWS and converted to .ppk and tried to ssh using Putty, and I would get 'Server refused key'. After much hair pulling I randomly updated Putty to the latest available version (0.77 as of writing) and that solved my issue. Same issue with WinSCP.