I have a Wowza instance purchased from Marketplace, about 4 hrs ago I was able to connect it and was doing some operations on it. But now when I am trying to connect it gives Permission denied (publickey) error. I used chmod command to give 777 permissions on ./ And here is the real cause I think.
From this solution when I am trying to attach the root volume of this instance to other instance of same type it is giving the same error, but when voulme is detached it is being connected successfully. The volume of marketplace instance can be attached to similar type of instance only.
Now how can I change the permission of that .ssh directory? Can you please help me out.
Here are the logs when I am trying to connect with the instance:
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 54.69.133.11 [54.69.133.11] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file Desktop/Shivam/mypemfile.pem type -1
debug1: identity file Desktop/Shivam/mypemfile.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 6a:48:f5:14:13:9a:a1:79:e8:44:bb:0d:6b:8d:b7:59
The authenticity of host '54.69.133.11 (54.69.133.11)' can't be established.
ECDSA key fingerprint is 6a:48:f5:14:13:9a:a1:79:e8:44:bb:0d:6b:8d:b7:59.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '54.69.133.11' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: Desktop/Shivam/mypemfile.pem
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Products launched from the AWS Marketplace have restrictions that non-marketplace instances don't have mainly to enforce licensing. You have run into one of the restrictions.
Here is a relevant thread on the AWS Forums that may be of use, especially the final post in the thread:
If a volume has an AWS Marketplace product code:
The volume can only be attached to a stopped instance.
You must be subscribed to the AWS Marketplace code that is on the volume.
The configuration (instance type, operating system) of the instance must support that specific AWS Marketplace code. For example, you
cannot take a volume from a Windows instance and attach it to a Linux
instance.
AWS Marketplace product codes are copied from the volume to the instance.
I did not check, but you can try this trick.
You can specify user data to configure an instance or run a configuration script during launch.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-shell-scripts
When you create a new instance
Choose AMI from Market Place
Choose Instance Type
Configure Instance -> Advanced Details -> Used data.
Put here you bash script to change permissions back.
Add Storage
Change root device or add a new one from the snapshot of your EBS.
Tag Instance
Configure Security Group
Review and Launch
Related
The difference between this question and all the others comes down to this: yesterday, I could connect via SSH just fine using this command:
ssh -i "~/.ssh/[.cer file]" ubuntu#[Public IPv4 DNS]
(A .cer file is created instead of .pem since I use Chrome.) Then I shut down the instance and deleted the volume (after creating a snapshot) then I went home.
Today, I did the following:
Created a new volume from the snapshot, and attached it to the instance
Created an Elastic IP address and assigned it to the instance
Started the instance
Tried connecting via SSH using the new Public IPv4 DNS. I got a Permission denied (publickey) error.
Thinking it may have something to do with the Elastic IP, I dissociated the Elastic IP and rebooted the instance to get a new temporary IP.
I tried using ssh using the same command (with the new Public DNS) and am still getting the Permission denied (publickey) error.
Here is the log I get when adding -v to the command:
OpenSSH_8.6p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/WonderWolff/.ssh/config
debug1: /Users/WonderWolff/.ssh/config line 14: Applying options for *.compute.amazonaws.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to ec2-13-57-238-91.us-west-1.compute.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file /Users/WonderWolff/.ssh/rei_development.cer type -1
debug1: identity file /Users/WonderWolff/.ssh/rei_development.cer-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
debug1: compat_banner: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10 pat OpenSSH_6.6.1* compat 0x04000002
debug1: Authenticating to ec2-13-57-238-91.us-west-1.compute.amazonaws.com:22 as 'ubuntu'
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes128-ctr MAC: umac-128-etm#openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-128-etm#openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:LnRbxnhhpoLZeIUFXFzOybmc+cPvutkYqZCmUmq+zVw
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
Warning: Permanently added 'ec2-13-57-238-91.us-west-1.compute.amazonaws.com' (ED25519) to the list of known hosts.
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /Users/WonderWolff/.ssh/rei_development.cer explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
Unauthorized use is strictly prohibited. All access and activity
is subject to logging and monitoring.
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/WonderWolff/.ssh/rei_development.cer
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
ubuntu#ec2-13-57-238-91.us-west-1.compute.amazonaws.com: Permission denied (publickey).
If it worked yesterday after multiple stops and reboots (I stopped and rebooted multiple times yesterday), what could possibly be the issue? Was attaching a new volume created from a snapshot the issue?
UPDATE: I created a new instance using the same keys. Connecting to that instance works, no problem. But I would still like to understand why either the removal and re-association of a volume, OR the assigning an Elastic IP address, OR a different reason I don't yet know causes me to get a Permission Denied error with the first instance.
Suddenly My sequel pro does not work well.
I get sequel connect RDS via EC2.
The setting seems to be correct.
I have chosen correct pem fale to connect SSH.
I don't know why "No more authentication methods to try."happen
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/abc/.ssh/id_rsa
debug1: Will attempt key: /Users/abc/.ssh/id_dsa
debug1: Will attempt key: /Users/abc/.ssh/id_ecdsa
debug1: Will attempt key: /Users/abc/.ssh/id_ed25519
debug1: Will attempt key: /Users/abc/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/abc/.ssh/id_rsa
debug1: Trying private key: /Users/abc/.ssh/id_dsa
debug1: Trying private key: /Users/abc/.ssh/id_ecdsa
debug1: Trying private key: /Users/abc/.ssh/id_ed25519
debug1: Trying private key: /Users/abc/.ssh/id_xmss
debug1: No more authentication methods to try.
ec2-user#ec2-23-214-216-2.ap-northeast-1.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Amazon RDS is a managed database service. No access is provided to the underlying infrastructure.
If you wish to connect to an Amazon RDS database, you will need to connect your SQL Client directly to the database via its designated port (eg MySQL port 3306). It is not possible to connect via SSH.
See: Connecting to an Amazon RDS DB instance - Amazon Relational Database Service
I have downloaded the default private key and am able to connect via SSH with no problem using that private key. In my Lightsail instance, I went to the SSH Keys tab, created a new key pair and downloaded the new private key (savng it in the correct location on my local machine with proper permissions). However, i am unable to connect using that new private key. Here is the output I get from the command: ssh -v -i ~/.ssh/test.pem me#x.x.x.x
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Volumes/Norman Data/daveh0/.ssh/config
debug1: /Volumes/Norman Data/daveh0/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to x.x.x.x port 22.
debug1: Connection established.
debug1: identity file .ssh/test.pem type -1
debug1: identity file .ssh/test.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to x.x.x.x:22 as 'me'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Bajjqc9SJlMHTB/OrEWKl4ATi6/wI+fB1C351fi5Iwk
debug1: Host 'x.x.x.x' is known and matches the ECDSA host key.
debug1: Found key in /Volumes/Norman Data/daveh0/.ssh/known_hosts:10
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: .ssh/test.pem
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
me#x.x.x.x : Permission denied (publickey).
I've got to be missing a step on the SSH Keys screen, but I can't seem to figure out what it would be. Can anyone help?
Keypairs are a feature of Linux. The way it works is:
Somebody tries to connect to the Linux computer using SSH, eg ssh -i key.pem username#IP-ADDRESS
The Linux computer looks in /home/USERNAME/.ssh/authorized_keys
If it finds a public key that matches the private key supplied in key.pem, then the connection is permitted
Therefore, since you created a new keypair, you will need to add the new keypair to the appropriate user's ~/.ssh/authorized_keys file.
Your example shows you as logging in as a user called me, so the public keypair should be added to /home/me/.ssh/authorized_keys.
When first launching a Lightsail or EC2 instance, you can specify a keypair and software on the instance will automatically add the associated public key to the authorized_keys file. However, you will need to do this step manually for an already-running instance.
For AWS Lightsail, I was able to login via SSH by appending my public key id_rsa.pub to remote authorized_keys, I used SFTP (Filezilla) to update authorized_keys file. For SFTP connection I downloaded ssh key from Accounts page.
After changing the owner of .ssh folder from user to root, i cannot login the remote server with ssh. Here is the error message:
OpenSSH_6.9p1, LibreSSL 2.1.7
debug1: Reading configuration data /Users/qj/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to ec2-52-193-83-231.ap-northeast-1.compute.amazonaws.com [52.193.83.231] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file gmail.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file gmail.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to ec2-52-193-83-231.ap-northeast-1.compute.amazonaws.com:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305#openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305#openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:EahONyMKzM6Q4tdEBSa9LwyOFI65KB02GesJGuGE9Ss
debug1: Host 'ec2-52-193-83-231.ap-northeast-1.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/qj/.ssh/known_hosts:25
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/qj/.ssh/dqj
debug1: Authentications that can continue: publickey
debug1: Trying private key: gmail.pem
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
It's really my fault to change owner of .ssh folder.
Anyone help me~
If you really need to preserve the server, you could try creating an AMI from the machine. Then relaunching from that. AWS will then attempt to put your public key in authorized_keys again, and may well fix the permissions issue in doing so.
If not, you can always launch a new server and attach the broken servers EBS volume to the new server to fix the permissions on the folder. Not garunteed to work though if you've got ephemeral storage or a weird file system.
I found the answer from https://forums.aws.amazon.com/thread.jspa?threadID=133054&tstart=0
Here is the answer:
Stop the instance
Detach the Root Volume
Launch another instance(or if you have one already you can skip this step)
Attached the Volume in 2 to the new(or already existing other) instance
Log in into the instance
Mount the Volume
Change the folder permissions as appropriate
Umount the Volume and detach it
Attach it back to the original instace
Start the instance and connect
It occurs some problems at step 6 when mounting the Volume to the new instance using the shell mount xvdf /ebs/ -t ext4(mkdir /ebs //this folder is a mount point, more details from Making an Amazon EBS Volume Available for Use). The error message is :
mount: wrong fs type, bad option, bad superblock on /dev/xvdf,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so.
Since the file system for the Volume is GPT. Fortunately, I got the reason from this post Problem mounting GPT disk partition. And the solution is that i need to mount /dev/xvdf1, not just /dev/xvdf, such as mount xvdf1 /ebs/ -t ext4.
Finally, mounting the volume is successful.
I am trying to SSH to an EC instance.
These are the steps I followed and below is the error I got.
In the Amazon Console, I created a Key Pair and downloaded it
Changed the permissions of that pem file to 400(as written here)
Went to the running instances in the console and got my Public DNS
Added an inbound rule(SSH),0.0.0.0/0 to the group with description 'SecurityGroup for ElasticBeanstalk environment.' in the Security Groups tab in console
Executed this in consolessh -i <>my_key_filename>.pem ec2-user#<Public DNS>
And this is the output for that:
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ec2-54-254-148-94.ap-southeast-1.compute.amazonaws.com [54.254.148.94] port 22.
debug1: Connection established.
debug1: identity file mykey.pem type -1
debug1: identity file mykey.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA a1:2b:92:f6:cf:e3:ed:8a:60:0e:34:c0:27:24:6f:f7
The authenticity of host 'ec2-54-254-148-94.ap-southeast-1.compute.amazonaws.com (54.254.148.94)' can't be established.
RSA key fingerprint is a1:2b:92:f6:cf:e3:ed:8a:60:0e:34:c0:27:24:6f:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-54-254-148-94.ap-southeast-1.compute.amazonaws.com,54.254.148.94' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: aws_key.pem
debug1: Authentications that can continue: publickey
debug1: Offering DSA public key: id_dsa
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: mailid#gmail.com
debug1: Authentications that can continue: publickey
debug1: Trying private key: mykey.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Also, the instance I am trying to connect to is an Amazon Linux instance.
From your comments below your question : it looks like the order of your steps where incorrect.
First you need to create the keypair
then you need to tell ElasticBeanstak to use that key pair when it will start your instances
Public keys are injected into the instances at first boot. It is not possible for AWS to change the keypair after the instance has been started - AWS has no technical way to connect to your instance. (you can do it manually by upload files in ~/.ssh directory)
To learn more about how to use keypair with ElasticBeanstalk, have a look at this screenshot
Or just create an .ebextensions directory with an application.config file containing
- namespace: aws:autoscaling:launchconfiguration
option_name: EC2Keyname
value: "keyname"
More details about customising ElasticBeanstalk environment : http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html#customize-containers-format-options
Possible values are listed here http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig.html
More details about keypair can be found here : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
--Seb