I am trying to connect to an EC2 instance which I recently spun up via the following SSH command from my Mac OS:
ssh -v -i ~/.ssh/mykey.pem ec2-***.us-east-2.compute.amazonaws.com
I have removed the exact DNS name as it is probably not relevant here. Before I attempted to connect, I took the following steps:
Added a rule for inbound SSH traffic (using my IP)
Created an SSH key in AWS before spinning up the instance
Placed the private key mykey.pem file in my user .ssh folder
I have read many SO questions and other documentation, which is why I was even able to put the above steps together. I am at a loss as to why I can't connect to my EC2 instance, but I am hoping someone will see a flaw in what I am doing here.
You are missing the user name:
ssh -i ~/.ssh/key.pem ec2-user#host-or-ip
Depending on the type of instance, that user name may be ec2-user (amazon linux) or ubuntu (ubuntu). Other versions may have different requirements (some older redhat instances still use root, for example), but that should cover most cases.
Related
When I try to connect to an EC2 in a private network through a bastion server I get this message:
<username>#<ec2-server>: Permission denied (publickey)
However, I can ssh to bastion from my local machine, and I can ssh to the EC2 from the bastion server,
Here is the .ssh/config I'm using:
Host <ec2-servers>*
IdentityFile ~/.ssh/id_rsa
User <username>
Here is the command I use to ssh:
ssh -J <bastion-server> <ec2-server>
Note: Permissions are good (700 for ~/.ssh/ and 600 for ~/.ssh/*)
Thanks in advance for your help!
There is likely no user on the remote system called 'username'. Make sure both systems have the same username and public key.
can you try the following configuration as the username you mentioned as same for both jump host and actual instance you are trying to connect to?
Host 10.2.2.* #ec2 servers cidr range
ProxyJump jumpuser#proxy.example.com
I think specifying the IdentityFile ~/.ssh/id_rsa might not be needed as that seems like the default key on your system you are using.
Make sure jumpuser exists with appropriate permissions.
Just fo debugging purposes , run this manually with debug options
ssh -vvv -J username#host1:port username#host2:port
will give plenty of information and you might be able to see where the problem is.
If you are using ssh-agent it remove all the identities and trying might also help.
ssh-add -D
How to Access a Remote Server Using a Jump Host
How to Set Up an SSH Jump Server
Just note that RSA keys are being depreciated, and later versions of operating systems disable their use on the CLIENT. That is, where you ssh from. To re-enable it on the client, in your ~/.ssh/config file, enter the following line:
PubkeyAcceptedKeyTypes +ssh-rsa
Note: there are security implications of doing this, so read up on the security issues of rsa if you are concerned. For instance, the following article:
https://www.thesslstore.com/blog/is-it-still-safe-to-use-rsa-encryption/
says:
....RSA encryption provides less than 99.8% security.
That sounds negligible, it’s about two in every 1,000.
But does that mean RSA is cracked? Not quite, just vulnerable..
Fixed it by adding local ssh public key in the authorized_keys of the remote ec2 instance.
I'm trying to use elastic beanstalk to deploy an application and one of the things I need to do is be able to log into the underlying ec2 instance and add dependencies. I added a key pair to the instance and put the private key file in ~/.ssh on my computer. Next I specified the key pair for the ec2 instance and it restarted and eventually the status was green
When I try to ssh into the ec2 instance I get the following error:
$ ssh ec2-user#myinstance.us-east-1.elasticbeanstalk.com
ec2-user#myinstance.us-east-1.elasticbeanstalk.com: Permission denied (publickey).
In the docs is says this could be due to an incorrect username.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html
Does anyone know what the default username is for ec2 instances created by elastic beanstalk?
Also if I'm doing this all wrong would appreciate some pointers there too.
1.To make sure that the there's no mistake the way you connect:
Go to EC2-> Instances
Select your instance
And press Connect
You should get the command to connect from the instructions from the Connect Popup. The correct username is mentioned there plus instructiins on how to set the correct permissions on the pem (applies to linux)
2.
Make sure that you modified the security group of the instance you're trying to connect do that it allows ssh from the ip of your pc. (This is not the case for the question, since the error is Permission denied (publickey), it means that it's not an sg issue, thx #diego)
3.
Also if you connect from a corporate network, try connecting from another network. It might be firewall issue.
4.
Last but not least make sure you ssh inside the .ssh path, or provide the correct pem path
The following instructions are given for the ec2 instance that I'm trying to connect to:
To access your instance: Open an SSH client. (find out how to connect
using PuTTY)
CHECK!
Locate your private key file (keypair.pem). The wizard automatically
detects the key you used to launch the instance.
I launched Putty with a .ppk and I also still have the .pem sitting on my local machine. However, how does this help once I am in the aws Linux terminal?
It sounds to me that the .pem should now be located on the remote machine, not my local one.
Your key must not be publicly viewable for SSH to work. Use this
command if needed: chmod 400 keypair.pem
This is fine once the previous step is clearer.
Connect to your instance using its Public DNS:
ec2-xxxxxxxxxxxxx.eu-west-1.compute.amazonaws.com
Example: ssh -i "keypair.pem"
root#ec2-xxxxxxxxxxxxx.eu-west-1.compute.amazonaws.com
I am currently typing this in (also trying ec2-user instead of root) but I get the following:
Warning: Identity file keypair.pem not accessible: No such file or directory.
Permission denied (publickey).
Please note that in most cases the username above will be correct,
however please ensure that you read your AMI usage instructions to
ensure that the AMI owner has not changed the default AMI username.
In case this is important, what user name are they referring to here?
I have also made sure the I can SSH into the security group from all locations.
Christopher, I am not sure if you have access to the AWS console, but If you do, then it will be easy to find out the correct user name of your EC2 machine. click on the check mark box to pick your instance, then click Connect, and it will show you the correct user name. If it is an amazon AMI image, it will most likely be ec2-user, other images can have root, ubuntu, bitnami, or any other user configured by the AMI creator.
Your error message: " Warning: Identity file keypair.pem not accessible" indicates an issue with your private key not being accessible.
You said you converted the .pem to ppk for putty, which will enable you to SSH via putty. If you need to SSH from an EC2 machine to another EC2 machine, you will need that private key with the "pem" extension.
Think of your private key as your password, except that it's stored in a file.
ssh -i "keypair.pem" root#ec2-xxxxxxxxxxxxx.eu-west-1.compute.amazonaws.com
This command says: Log me in via SSH protocol to server xxxx.eu... using password file (Private key) "keypair.pem" that resides in the current directory.
if you do an "ls" and you don't see "keypair.pem" then that is your issue.
I hope that helps!
I am trying to ssh into a new EC2 instance. I have followed the instructions and when I attempt to ssh I get Permission denied (publickey).
Below is an image of everything I did in the console according to the instructions. Everything seems to go accordingly until I enter yes. Then it fails. I have followed the instructions twice and get the same result. I also do not have AWS CLI Tools as I believe they are optional.
ssh will use your local username to connect to the instance by default, if you not specified Host, User and IdentityFile in your ~/.ssh/config.
As you call ssh to your instance with the pem specified on the command line you also have to specify the remote user name (which is ec2-user for AWS linux instances and ubuntu for AWS Ubuntu instances).
Try to use this commandline:
ssh -i sub_api.pem ec2-user#ec2-54....
I am using mac terminal and I want to connect my machine with server instance EC2 in aws with SSH. Since I am using Mac OS X is not necessary to use PUTTY. The problem is that when I download the key it is with extension .ppk but when i need to run it on terminal i need to use a command in which i have to use .pem extension . I tried to run it in that way and it said to me permission denied. Can someone help me what to do in this case? Do i have to change the permission or to convert my key from .ppk to .ppm?
You need to know the .pem file folder you download, and then follow steps below:
download the keypair(.pem file)
cd to keypair(.pem file) location (Note that you can use absolute path name for key pair instead)
chmod 400 [your_key_name].pem (Note that to make SSH work, your key must not be publicly viewable. Use this command if needed.)
ssh -i "[your_key_name].pem" ec2-user#[your ec2 dns name]
You will have to convert your "ppk" file to "pem" file follow this steps.
http://www.ramsmusings.com/2014/02/20/converting-a-putty-ppk-file-to-a-pem-file-for-accessing-aws-ec2-instances/
After you convert connect to the instance using the SSH command and converted "pem" file.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
Quick answer
Instead of working directly with SSH keys I would consider working with AWS ec2-instance-connect.
It saves you the the management of the SSH keys and is much safer then sharing SSH keys for each EC2 machine between team members.
After authentication with the aws credentials (by referring to a profile in .aws/config file or using environment variables ) you can connect to the instance very easily by providing the instance ID:
./bin/mssh <instance-ID>
Installation of this tool can be done via pip or directly from the github repo.
Additional information
Amazon EC2 Instance Connect provides a simple and secure way to connect to your instances using Secure Shell (SSH).
With EC2 Instance Connect, you use AWS Identity and Access Management (IAM) policies and principles to control SSH access to your instances, removing the need to share and manage SSH keys.
When you connect to an instance using EC2 Instance Connect, the Instance Connect API pushes a one-time-use SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your IAM user authorizes your IAM user to push the public key to the instance metadata.
The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, which are configured when Instance Connect is installed, to look up the public key from the instance metadata for authentication, and connects you to the instance.
You can use Instance Connect to connect to your Linux instances using a
browser-based client,
the Amazon EC2 Instance Connect CLI,
or the SSH client of your choice.
(*) Amazon Linux 2 2.0.20190618 or later and Ubuntu 20.04 or later comes preconfigured with EC2 Instance Connect.
For other supported Linux distributions, you must set up Instance Connect for every instance that will support using Instance Connect. This is a one-time requirement for each instance.
Links:
Connect using EC2 Instance Connect
Securing your bastion hosts with Amazon EC2 Instance Connect