You can change an EC2 instance key pair when deploying with ElasticBeanstalk, which is great. EB supposedly terminates current instance and launches a new one with whatever key pair you specified. So I created a new key pair (AWS console), downloaded a new *.pem file, updated my machine to use the key pair in EB. All good so far, EB re-launched the server. One little issue with this is that I can't ssh into the instance using the latest *.pem file. This is what I get (and I did do "chmod 400" on the pem file):
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 52.1.*.* [52.1.*.*] port 22.
debug1: Connection established.
debug1: identity file mypem.pem type -1
debug1: identity file mypem.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 6b:5a:e2:0c:c5:98:ff:34:6e:c6:2c:84:ea:a0:88:0f
debug1: Host '52.1.*.*' is known and matches the RSA host key.
debug1: Found key in /Users/sergey.novgorodsky/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: mypem.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Could it be an EB issue? Any ideas?
Related
I have been able to ssh into my AWS ECS instances for well over a year without issue.
However, in recent days I have begun getting Permission denied (publickey) errors when trying to ssh into any of my instances.
I have the public keys stored in my .ssh folder and they get added to the ssh agent successfully before any attempt to ssh. My AWS setup has also not changed.
I have included the verbose output from my ssh command below. Any help or insights are much appreciated!
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 10.10.0.168 [10.10.0.168] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ec2-user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.10.0.168:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qi60acx6tKhNsV3z756IaixRe0bXlIyuCc3782hn8rY
debug1: Host '10.10.0.168' is known and matches the ECDSA host key.
debug1: Found key in /home/ec2-user/.ssh/known_hosts:33
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ec2-user/.ssh/id_rsa
debug1: Trying private key: /home/ec2-user/.ssh/id_dsa
debug1: Trying private key: /home/ec2-user/.ssh/id_ecdsa
debug1: Trying private key: /home/ec2-user/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
Have you tried restarting the instances in the AWS Console?
I've seen this previously when the instances have run our of memory due to temp files. Rebooting cleared the temp files and allowed me to connect again.
It's not exactly the most helpful error message!
I'm trying to connect to the problematic Amazon EC2 instance with this command:
ssh -vvv -i MY_KEY.pem root#ec2-XX-XX-XXX-XX.compute-1.amazonaws.com
and getting this result:
OpenSSH_7.5p1, OpenSSL 1.1.0g-fips 2 Nov 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for *
debug1: Connecting to ec2-XX-XX-XXX-XX.compute-1.amazonaws.com [XX.XX.XXX.XX] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file MY_KEY.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file MY_KEY.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ec2-XX-XX-XXX-XX.compute-1.amazonaws.com:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm#openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256#libssh.org need=32 dh_need=32
debug1: kex: curve25519-sha256#libssh.org need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:rRMQg/hs
debug1: Host 'ec2-XX-XX-XXX-XX.compute-1.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/dina/.ssh/known_hosts:8
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: MY_KEY.pem
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering RSA public key: dina#localhost.localdomain
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: MY_KEY.pem
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
The key MY_KEY.pem should be correct, I've checked the fingerprint under NETWORK & SECURITY -> Key Pairs on AWS console, and it's the same as for the key I'm using.
Permissions for the .pem file is 400, owner is current owner. SSH inbound traffic to the instance is allowed from all addresses.
Also tried this with different users (root, ubuntu, admin, ec2-user, centos, fedora) as I have no contact with the person who launched the instance and have no idea what system is there.
Any idea about what is going on and what could be done about it? Your help is very much appreciated
What AMI are you using?
If you are using an Ubuntu AMI, you should connect as ubuntu.
$ ssh -vvv -i ~/.ssh/MY_KEY.pem ubuntu#ec2-XX-XX-XXX-XX.compute-1.amazonaws.com
On Amazon Linux, the default user is ec2-user.
$ ssh -vvv -i MY_KEY.pem ec2-user#ec2-XX-XX-XXX-XX.compute-1.amazonaws.com
Once you are in both of these users will have sudo privileges.
As per Ben's answer, I created a key pair, downloaded the private key into ~/.ssh , changed the permissions to 600 and tried to ssh the instance ... but got unauthorized erro :
$ ssh -v -i ~/.ssh/aws-erwin16.pem jack#ec2-nn-nn-nnn-nnn.us-west-2.compute.amazonaws.com
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/jack/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to ec2-nn-nn-nnn-nnn.us-west-2.compute.amazonaws.com [54.69.113.179] port 22.
debug1: Connection established.
debug1: identity file /Users/jack/.ssh/aws-erwin16.pem type -1
debug1: identity file /Users/jack/.ssh/aws-erwin16.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 85:e4:69:56:21:4d:32:1c:e9:5c:83:a5:cc:28:03:39
debug1: Host 'ec2-nn-nn-nnn-nnn.us-west-2.compute.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/jack/.ssh/known_hosts:22
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/jack/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/jack/.ssh/aws-erwin16.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
if I change the user name for ubuntu , and it runs fine... get connecte d..;
You have confused the X.509 Certificates with the Amazon EC2 Keypairs. EC2 Keypairs are used to log in to EC2 instances.
In the EC2 console, find the keypairs section on the left, generate a keypair, and save the private key locally to your disk. OpenSSH searches the ~/.ssh directory by default. Run chmod 600 ~/.ssh/<filename> to set the correct permissions. You can then use that key to access your instance via SSH.
I was using my EC2 instance 1 hour ago, I uploaded my web page using scp to my server and everything was fine. I closed the connection with exit command and now I am trying to log in using the same command as before and I'm getting this:
$ ssh -v -i /cygdrive/c/tsearch.pem ubuntu#tsearch.com.mx
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Connecting to tsearch.com.mx [54.201.232.244] port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/tsearch.pem type -1
debug1: identity file /cygdrive/c/tsearch.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 3f:d4:cb:c0:db:7b:49:5e:0a:dc:1b:ec:4f:23:14:c3
debug1: Host 'tsearch.com.mx' is known and matches the ECDSA host key.
debug1: Found key in /home/Fernando/.ssh/known_hosts:6
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/tsearch.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
I have searched over the web, and I have found different answers, but none has worked (and I dont want to delete my amazon instance). Any ideas?
Worst case to recover the data in the instance. You can create an AMI from the instance, without rebooting. Then restart another instance using the AMI that you just created. Later, you can change your DNS (or Elastic IP) to point to your new instance.
ssh -i [full path to keypair file] ec2-user#[EC2 instance hostname or IP address]
I did this and it worked before and suddenly I am getting Permission denied (publickey) error.
mac-pro:aws me$ ssh -i key.pem ubuntu#elastic_ip_address -v
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug1: Connecting to elastic_ip_address [elastic_ip_address] port 22.
debug1: Connection established.
debug1: identity file key.pem type -1
debug1: identity file key.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'elastic_ip_address' is known and matches the RSA host key.
debug1: Found key in /Users/me/.ssh/known_hosts:8
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: key.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Incidentally, I am using the same key for three different EC2 instances. I am not sure this is the reason why I am getting this error. I can access two other EC2 instances over ssh using the same key. BUT I can not access only one instance.
correct user? ec2-user# or root#