Windows 10 import pem file for openssh - amazon-web-services

Windows 10 Pro
OpenSSH client is already installed.
I have a pem file supplied by my AWS EC2 instance.
How and where do I install the pem cert in Windows 10.
mmc doesn't recognize the format.
This is the ssh command I want to run.
ssh -i c:\my.pem ec2-user#xx.xx.xx.xxx.
As expected I get WARNING: UNPROTECTED PRIVATE KEY FILE ... ec2-user#xx.xx.xx.xxx: Permission denied
but this shows the OpenSSH client is working.
I've searched the internet and SO to no avail .

See ibug's answer here:
https://superuser.com/questions/1296024/windows-ssh-permissions-for-private-key-are-too-open
"You locate the file in Windows Explorer, right-click on it then select "Properties". Navigate to the "Security" tab and click "Advanced".
Change the owner to you, disable inheritance and delete all permissions. Then grant yourself "Full control" and save the permissions. Now SSH won't complain about file permission too open anymore.
It should end up looking like this:
"

I kept my pem files in this location
C:\Users\<user name>\.ssh\pems
And from user folder, that is C:\Users\user name>, used this command.
ssh -i ".ssh\pems\key.txt" centos#XXX.XX.110.1X5

Related

Permission Denied / Operation not permitted

I was having a issue while experimenting with my samsung android 6.0 Device. I have downloaded Termux( Linux terminal for android which has all linux terminal functionality ). And i have converted my phone into a ssh server using SSH Client app from playstore.
So the main problem is that when i try to generate a ssh key pair using command ssh-keygen it works but it stores the ssh key into data/data/com.termux/files/home/.shh but i want it in sdcard/key/ ( I have created a directory name key ). But when i try to generate a key pair in sdcard/key it show permission denied. When i try to copy or move from data/data/com.termux/files/home/.shh/ using cp data/data/com.termux/files/home/.ssh/key_pair sdcard/key it show me permission denied so i tried to create another folder in sdcard/ and gave it permissions for read-write-execute using chmod 777 dir_name it shows me operation not permitted.
So i done a bit research on this topic on google, i found that i have to root my device then i tried to root my device using KingoRoot, iRoot, adb but it showed that Your device is too strong to bee rooted in fact i gave those app all permission and there is no antivirus or in built security disabled on my device. Then i thought to directly place it in sdcard/key but then i got to know that i cannot move anything from data/data/com.termux/files/home/.shh.
And when i tried to move files via ssh server or upload files on my ssh server via ssh admin#192.168.1.5 -p 2222 using scp command it showed me file not found but the file is in the correct directory and correct path.
And please answer the following questions that i have regarding the issues above that 1> How to move files from localhost to ssh server 2> how to root device if it is too strong to be rooted(any method)
Thanks !

SSH into ec2 instance on AWS

This may be an extremely dumb question but I am new to AWS and terminal controls on Mac. I am trying to SSH into my EC2 instance and following the documentation here.
I am perplexed because it is asking for the PATH in order to chmod 400 my private .pem file. I am unsure which path they are asking for here and would love some clarification. I have already downloaded AWS CLI so I am unsure what PATH it is asking for. Any help is very appreciated.
As i checked document link shared by you, here path means the location where you have downloaded .pem key file during launching a instance on AWS.
If you used Safari browser, you can find Download location:-
http://support.topspinmedia.com/hc/en-us/articles/204262743-I-m-on-a-Mac-using-Safari-where-s-my-download-
ssh -i /Users/Onicha/Downloads/my-key-pair.pem ec2-user#ec2-198-51-100-1.compute-1.amazonaws.com
When you created that EC2 instance, you must have downloaded a private key. If not or you do not have the key anymore, I am afraid you must remove that instance and set up a new one.
Once you have the key, in your terminal, change the directory to where the private key is. You must first change the permissions on the key to make it only readable by your user and then you can SSH to it.
chmod 400 key.pem
ssh -i key.pem [user]#[host]
You will need to specify the path to the key, instance key pairs are described here http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
It may help to verify a few things-
Are you creating the key pair on Amazon Ec2 (or whichever instance you are using) and then downloading and saving (as a .pem file- example yourpemfile.pem) on your computer? If you are, you would know which directory (the PATH that is being discussed) you saved it in. If you already did it and cannot find it, you can do it again creating a new key pair with a new filename yourpemfile2.pem, but you have to stop the Ec2 instance and remove the old keypair file associated with it. (I have seen ways online to change keypairs while instance is running as well).
Go to that particular folder on your Mac using Terminal. You don't need Amazon CLI if you use the terminal with MacOS. (You can do so by pressing Command+Space and then type terminal in the blank typing space that appears). Once the terminal window opens, at the prompt- type linux command 'pwd' to see which directory/folder your are in. Use 'cd' command for going to your folder where the .pem file is downloaded or saved (by you). List the particular folder by using linux command 'ls -l' at the prompt to see if your .pem file is actually there and what are its permissions.
Then change permissions using 'chmod' command-> chmod 400 yourpemfile.pem. ls -l yourpemfile.pem' again the file permissions should become r--------.
Now you are in the directory where you pem file is and you can directly ssh to your Ec2 instance from here. Now (using web browser) go to Amazon Ec2 Management Console and click on Instances (within folder Instances) on the left of dashboard you will see details of your instance which is running. Make sure the key pair associated with that instance is this particular .pem file. Then at the top of the page, where it says "Launch instance" and also has two other tabs, "Connect" and "Actions", click on "Connect".
A new window pops up which provides details of ssh commands to use and instance details.
Make sure to select standalone SSH client.
You see a suggested command like this- (helps in making sure you are using the right amazon instance and keypair)
ssh -i "AmcEc2mykeypair.pem" ec2-user#ec2-134-17-351-22.us-east-2.compute.amazonaws.com
Copy paste this on your linux terminal (Use Command+c and Command+v on Mac). Press Enter.
You should be 'logged in' now and a new prompt for the Amazon Ec2 instance machine- specifying clearly that it is an Amazon linux or ubuntu image should appear.

EC2 - chmod: cannot access ‘mypemfile.pem’: No such file or directory

I download pem file while launching t2.small instance. When I try to connect it via ssh it say no such a file in directory. But am sure that pem file is in directory.
$ ls
mypemfile.pem
$ chmod 400 mypemfile.pem
chmod: cannot access ‘mypemfile.pem’: No such file or directory
$ ssh -i "mypemfile.pem" root#x.x.x.xx
Warning: Identity file mypemfile.pem not accessible: No such file or directory.
Permission denied (publickey).
How to track this issues? and any solutions?
Note: I created instance from AMI image shared by another account.
For sure the problem is because there is no "mypemfile.pem" file.
Recheck the availability of the file, if the file is available try to rename it or make a copy of it and try with the newly created file.
Hope it helps..
I figured it out on Mac. So, this is what I had to do. When you created private key, my Mac saved is as whatever.pem.txt, so in order to connect to the AWS instance just add .txt extension to whatever AWS instructions tell you to do. For example:
chmod 400 yourfile.pem.txt ssh -I "yourfile.pem.txt" ubuntu#ecX-XX-XX-XXX-XXX.compute-1.amazonaws.com
This is for Mac users.
Best,

Amazon AWS EC2 - Getting a .cer file instead of .pem

When i downloaded my private key file from Security Credentials, I got a .cer file instead of a .pem. I tried to ssh to my ec2 instance using that but i am constantly getting:
Bad passphrase, try again for pk-xxxxxxxxxxx
Is it because i have a .cer file or because i need a pass phrase? I do not know what is a passphrase. I would really appreciate if i can be helped soon. I think i am confusing the the .cer files i get from X.509 with the file i need for ssh. But the problem is i never get .pem files, only .cer file
I have just started working on the Amazon AWS platform and came across this question.
Not sure if you managed to resolve your issue - however, here is a AWS forum thread that talks of a related issue and the solution:
ssh error: "Enter passphrase for key 'id_rsa-gsg-keypair'"
To summarize the thread - the problem seems to be with the permissions on the .cer file that was downloaded.
Another thing about the .cer file - A .cer file is essentially confirmant with the PEM format and hence there should be no problem using the .cer file just like you would use a .PEM file.
I downloaded my .cer file and was able to connect to my Amazon Linux instance using it after having the correct permissions (chmod 400 mykey.cer) and then using it in the ssh command as below:
ssh -i mykey.cer ec2-user#public-dns-of-my-amazon-instance
Probably the connecting user varies for other linux instances. More information here
Try downloading the file in a different browser I had similar trouble when I was downloading ec2 instance using Brave Browser but didn't have any trouble when I used safari.
chmod 400 mykey.pem
ssh -i mykey.pem bitnami#x.x.x.x
I just had this problem myself. The "Connect" feature on the EC2 instance stated that it was a .pem file but the actual download was .cer
I ran chmod 400 FILENNAME.cer but still could not log in. Then I inspected the ssh link and noticed that it was also a .pem file. I switched the .pem to .cer and it worked!
Just rename the file from .cert to .pem and it
I had the same issue which gave me a "no such file or directory" error message because my Ec2 ssh key appeared with a .cer extension in my directory instead of a .pem.
I changed the extension to .pem
Reran chmod .... command to make the key private in my terminal, iTerm.
Ran ls -al key-name without the extension in the terminal to confirm its presence in the directory.
Then reran the ssh ..... command all over again
It works!
Similar to everyone else's replies, this is just Amazon documentation being weird.
They provide a download of .cer files, but their 'helpful' connection docs/helper references .pem
navigate to where you downloaded the .cer ( ie. cd Desktop)
chmod 400 name_of_cer_file_here.cer
ssh -i "name_of_cer_file_here.cer" your_user_here#ec2-123-456.region.compute.amazonaws.com

"UNPROTECTED PRIVATE KEY FILE!" Error using SSH into Amazon EC2 Instance (AWS)

I've created a new linux instance on Amazon EC2, and as part of that downloaded the .pem file to allow me to SSH in.
When I tried to ssh with:
ssh -i myfile.pem <public dns>
I got:
###########################################################
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0644 for 'amazonec2.pem' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: amazonec2.pem
Permission denied (publickey).
Following this post I tried to chmod +600 the .pem file, but now when I ssh I just get
Permission denied (publickey).
What school-boy error am I making here?
The .pem file is in my home folder (in macOS). Its permissions look like this:
-rw-------# 1 mattroberts staff 1696 19 Nov 11:20 amazonec2.pem
The problem is a wrong set of permissions on the file.
It is easily solved by executing: chmod 400 mykey.pem
This solution is taken from AWS instructions:
Your key file must not be publicly viewable for SSH to work. Use this command if needed: chmod 400 mykey.pem
400 protects it by making it read only and only for the owner.
You are likely using the wrong username to login, because—
Most Ubuntu images have a user ubuntu
Amazon's AMI is ec2-user
Most Debian images have either root or admin
To login, you need to adjust your ssh command:
ssh -l USERNAME_HERE -i .ssh/yourkey.pem public-ec2-host
I know this is very late to the game ... but this always works for me:
##step 1
ssh-add ~/.ssh/KEY_PAIR_NAME.pem
##step 2, simply ssh in :)
ssh user_name#<instance public dns/ip>
e.g.
ssh ec2-user#ec2-198-51-100-1.compute-1.amazonaws.com
Ok man, the only thing that worked for me was:
Change permissions of the key
chmod 400 mykey.pem
Make sure to log in using ec2-user, and the correct ec2-99... address. The ec2-99 address is at the bottom of the aws console when you're logged in and seeing your instance listed
ssh -i mykey.pem ec2-user#ec2-99-99-99-99.compute-1.amazonaws.com
Take a look at this article. You do not use the public DNS but rather the form
ssh -i your.pem root#ec2-XXX-XXX-XXX-XXX.z-2.compute-1.amazonaws.com
where the name is visible on your AMI panel
In windows you can go to the properties of the pem file, and go to the security tab, then to advance button.
remove inheritance and all the permissions. then grant yourself the full control. after all SSL will not give you the same error again.
Change permission for the key file with :
chmod 400 key-file-name.pem
See AWS documentation for connecting to the instance: Tutorial: Get started with Amazon EC2 Linux instances
I know this question has been answered already but for those that have tried them all and you are still getting the annoying "Permission denied (publickey)". Try running your command with SUDO. Of course this is a temporary solution and you should set permissions correctly but at least that will let you identify that your current user is not running with the privileges you need (as you assumed)
sudo ssh -i amazonec2.pem ec2-xxx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com
Once you do this you'll get a message like this:
Please login as the user "ec2-user" rather than the user "root"
Which is also sparsely documented. In that case just do this:
sudo ssh -i amazonec2.pem ec2-xxx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com -l ec2-user
And you'll get the glorious:
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
Feb, 2022 Update:
See the description to ssh to EC2 instance on AWS:
Then, you can find "No.3" saying this below:
So, run the command below as "No.3" says above:
chmod 400 myKey.pem
In Mac terminal, doing "chmod 400 xyz.pem" did not help me, it kept saying permission denied. For ubuntu users I would suggest
ssh-add xyz.pem
ssh -i xyz.pem ubuntu#ec2-54-69-172-118.us-west-2.compute.amazonaws.com (notice the user is ubuntu)
ssh -i /.pem user#host-machine-IP
I think it's because either you have entered wrong credentials
or, you are using a public key rather than private key
or, your port permissions are open for ALL to ssh. This is bad for Amazon.
There can be three reasons behind this error.
Your are using a wrong key.
Your key doesn't have the correct permissions. You need to chmod it to 400.
You are using the wrong user. Ubuntu images have a user ubuntu, Amazon's AMI is ec2-user and debian images have either root or admin
In addition to the other answers, here is what I did in order for this to work:
Copy the key to .ssh folder if you still hadn't:
cp key.pem ~/.ssh/key.pem
Give the proper permissions to the key
chmod 400 ~/.ssh/key.pem
Start ssh-agent (Thanks to https://stackoverflow.com/a/17848593 )
eval `ssh-agent -s`
ssh-add
Then, add the key
ssh-add ~/.ssh/key.pem
Now you should be able to ssh EC2 (:
SSH keys and file permission best practices:
.ssh directory - 0700 (only by owner)
private key/.pem file - 0400 (read only by owner)
public key/.pub file - 0600 (read & write only by owner)
chmod XXXX file/directory
Alternative log-in using PuTTY. Its good but needs a few steps.
Get your .pem that was generated when you first made the EC2 instance.
Convert the .pem file .ppk using PuttyGen since PuTTY does not read .pem.
Open PuTTY and enter your Host Name which is your instance username + Public DNS (Ex. ubuntu#ec2-xxx-xxx-xxx-xxx.region.compute.amazonaws.com). Not your AWS account username.
Then navigate to Connection > SSH > Auth. Then add your .ppk file. Click on Browse where it says "Private key file for authentication".
Click Open and you should be able to immediately establish connection.
Im using PuTTY 0.66 in Windows.
By default whenever you download the keyfile it come with 644 permissions.
So you need to change the permission each time you download new keys.
chmod 400 my_file.pem
In Windows go to the .pem file, right click and select Properties.
Go to Advanced in Security tab
Disable and remove inheritance.
Then press Add and select a principal.
Add account username as object name and press ok.
Give all permission.
Apply and save changes.
Now check the above command
You can find the answer from the ASW guide.
400 protects it by making it read only and only for the owner.
chmod 400 mykey.pem
In windows,
Right click on the pem file. Then select properties.
Select security tab --> Click on the Advanced button --> Disable inheritance --> Remove all inherited permissions from this object
Click on the Add button --> Select a principal --> Enter your username on the inputbox --> Click on the Check Names button --> Click on Ok --> Click on Ok --> Click on Ok --> Click on Ok
Do a chmod 400 yourkeyfile.pem
If your instance is Amazon linux then use ssh -i yourkeyfile.pem ec2-user#ip
for ubuntu
ssh -i yourkeyfile.pem ubuntu#ip
for centos
ssh -i yourkeyfile.pem centos#ip
Just change the permission of pem file to 0600 allowing only for the allowed user and it will work like charm.
sudo chmod 0600 myfile.pem
And then try to ssh it will work perfectly.
ssh -i myfile.pem <<ssh_user>>#<<server>>
BY default permission are not allowing the pem key.
You just have to change the permission:
chmod 400 xyz.pem
and if ubuntu instance then connect using:
ssh -i xyz.pem ubuntu#ec2-youraws.amazonaws.com
The issue for me was that my .pem file was in one of my NTFS partitions. I moved it to my linux partition (ext4).
Gave required permissions by running:
chmod 400 my_file.pem
And it worked.
I have seen two reasons behind this issue
1) access key does not have the right permission. pem keys with default permission are not allowed to make a secure connection. You just have to change the permission:
chmod 400 xyz.pem
2) Also check whether you have logged-in with proper user credentials. Otherwise, use sudo while connecting
sudo ssh -i {keyfile} ec2-user#{ip address of remote host}
Well, looking at your post description I feel there were 2 mistakes done by you:-
Set correct permissions for the private key.
Below command should help you to set correct file permision.
chmod 0600 mykey.pem
Wrong ec2 user you are trying to login.
Looking at your debug log I think you have spawned an Amazon linux instance. The default user for that instance type is ec2-user . If the instance would have been ubuntu then your default user would have been ubuntu .
ssh -i privatekey.pem default_ssh_user#server_ip
Note:
For an Amazon Linux AMI, the default user name is ec2-user.
For a Centos AMI, the default user name is centos.
For a Debian AMI, the default user name is admin or root.
For a Fedora AMI, the default user name is ec2-user or fedora.
For a RHEL AMI, the default user name is ec2-user or root.
For a SUSE AMI, the default user name is ec2-user or root.
For an Ubuntu AMI, the default user name is ubuntu.
Otherwise, if ec2-user and root don't work, check with the AMI provider.
source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
Key file should not be publicly viewable so use permission 400
chmod 400 keyfile.pem
If above command shows permission error use
sudo chmod 400 keyfile.pem
Now ssh into the ec2 machine, if you still face the issue, use ec2-user
ssh -i keyfile.pem ec2-user#ec2-12-34-56-78.compute-1.amazonaws.com
You're not in root then run this command
sudo chmod 400 -R myfile.pem
Not is root then run this command
chmod 400 -R myfile.pem
If you are connecting from Windows, perform the following steps on your local computer.
Navigate to your .pem file.
Right-click on the .pem file and select Properties.
Choose the Security tab.
Select Advanced.
Verify that you are the owner of the file. If not, change the owner to your username.
Select Disable inheritance and Remove all inherited permissions from this object.
Select Add, Select a principal, enter your username, and select OK.
From the Permission Entry window, grant Read permissions and select OK.
Click Apply to ensure all settings are saved.
Select OK to close the Advanced Security Settings window.
Select OK to close the Properties window.
You should be able to connect to your Linux instance from Windows via SSH.
From a Windows command prompt, run the following commands.
Run the following command to reset and remove explicit permissions:
icacls.exe $path /reset
Run the following command to grant Read permissions to the current user: icacls.exe $path /GRANT:R "$($env:USERNAME):(R)"
Run the following command to disable inheritance and remove inherited permissions : icacls.exe $path /inheritance:r
You should be able to connect to your Linux instance from Windows via SSH.
It is just a permission issue with your aws pem key.
Just change the permission of pem key to 400 using below command.
chmod 400 pemkeyname.pem
If you don't have permission to change the permission of a file you can use sudo like below command.
sudo chmod 400 pemkeyname.pem
Else if nothing works for you just follow this video to change the keys on your EC2 instance. You can install now public / private key pair on your instance.
https://youtu.be/LvLlRCrS8B4
Checklist:
Are you using the right private key .pem file?
Are its permissions set correctly? (My Amazon-brand AMIs work with 644, but Red hat must be at least 600 or 400. Don't know about Ubuntu.)
Are you using the right username in your ssh line? Amazon-branded = "ec2-user", Red Hat = "root", Ubuntu = "ubuntu". User can be specified as "ssh -i pem usename#hostname" OR "ssh -l username -i pem hostname"