When I try to ssh to my AWS instance I'm getting 'Permission denied (publickey)'.
Searching this issue the resolution is usually to make sure the .pem key has the right permissions with 'chmod 600'. The other solution is logging in as root or ec2-user. I've tried both.
What's unique is that I can use the same key and log into an older AWS instance, then try to log my newly created one and get the permission denied error. In AWS both show to be using the same "Key pair name". So if they key pair is the same in AWS and the key works on one box, why the issue on the other box?
The box that fails (same key)
$ ssh -v -i .ssh/aws_match.pem root#52.23.xxx.xxx
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 52.23.xxx.xxx [52.23.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file .ssh/aws_match.pem type -1
debug1: identity file .ssh/aws_match.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 5c:5b:54:a6:50:ec:3b:ba:aa:4f:00:2a:90:b3:a9:9b
debug1: Host '52.23.195.151' is known and matches the RSA host key.
debug1: Found key in /Users/pumphreyjj/.ssh/known_hosts:12
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: .ssh/aws_match.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
The box that works (same key)
$ ssh -v -i .ssh/aws_match.pem root#54.84.xx.xxx
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 54.84.xx.xxx [54.84.xx.xxx] port 22.
debug1: Connection established.
debug1: identity file .ssh/aws_match.pem type -1
debug1: identity file .ssh/aws_match.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA f0:94:93:93:fa:1d:37:ec:6d:0a:22:78:2e:9c:d1:13
debug1: Host '54.84.81.152' is known and matches the RSA host key.
debug1: Found key in /Users/pumphreyjj/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: .ssh/aws_match.pem
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to 54.84.xx.xxx ([54.84.xx.xxx]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Mon Nov 9 10:43:36 2015 from 128.231.xxx.xxx
The only difference I see is the OpenSSH version, but that's installed by AWS. I haven't changed the box any yet.
Turns out that the older box was built with a specific image and that local key was uploaded to AWS go with it. New boxes didn't work with that key for whatever reason. I worked around this by creating a new key for the new boxes and it is working fine now.
Related
I'm planning on transferring a site from one instance to another. Since it's quite a big site, I believe it's better to copy the files from one instance to another directly.
I've followed the instructions found in the 2 links below on how to make sure SCP works:
https://blog.e-zest.com/how-to-do-scp-from-one-ec2-instance-to-another-ec2-instance/
https://blog.microideation.com/2016/05/26/secure-copy-files-scp-between-two-ec2-instances-in-aws/
However, using this command:
scp -v test.txt root#x.x.x.x:/home/test_dest.txt
I'm getting this error:
Executing: program /usr/bin/ssh host x.x.x.x, user root, command scp -v -t /home/test_dest.txt
OpenSSH_6.6.1, OpenSSL 1.0.1k-fips 8 Jan 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: curve25519-sha256#libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha256#libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 69:bc:99:1d:e8:09:4f:ce:4a:7f:70:45:a3:1f:06:99
debug1: Host 'x.x.x.x' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
lost connection
I've checked the Security Group and they're good. File permissions are good as well.
So couple of questions:
What does the error above mean? How do I fix it?
Is there another way to transfer files between EC2 instances?
What else do I need to check to make SCP work?
I'm having trouble ssh-ing into my Bitnami AWS instance. I'm pretty new to developing in general so I'm sure I could have missed something in the docs but I did chmod 600 and also tried 400 to my bitnami-hosting.pem and I use this command. I checked the posts and non of the solutions I found helped out. Any ideas?
ssh -i ~/.ssh/bitnami-hosting.pem bitnami#ec2-52-10-192-39.us-west-2.compute.amazonaws.com
I tried using the public and private IPs too.
and this is the return
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/adam/.ssh/config
debug1: /Users/adam/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to ec2-52-10-192-39.us-west-2.compute.amazonaws.com [52.10.192.39] port 22.
debug1: Connection established.
debug1: identity file /Users/adam/.ssh/bitnami-hosting.pem type -1
debug1: identity file /Users/adam/.ssh/bitnami-hosting.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 44:de:04:21:c6:8c:08:9f:a6:6d:b1:48:a2:cb:ab:2f
debug1: Host 'ec2-52-10-192-39.us-west-2.compute.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/adam/.ssh/known_hosts:12
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/adam/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/adam/.ssh/bitnami-hosting.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Are you 100% positive you are using the right ssh key and not a different one?
i had an ssh key on aws instance (let's call it key a); however, it wasn't allowing me to access my github account, so i generated a new ssh key (key b). the good thing is that i was able to access github, but the bad thing is that i now can't access my aws instance through ssh.
any idea what i can do? i've tried changing the permissions on the pem file to no avail. i'm running ubuntu 12.04 on aws remotely and a windows machine locally.
additional info: when i created key b and named it rsa_id.pub, i didn't intentionally or explicitly overwrite key a. i've tried two syntaxes, ssh (my default) and the ssh -i xxx.pem ubuntu#ec2-xxx-xx-xxx-x.compute-1.amazonaws.com. neither of these syntaxes are working.
OpenSSH_6.4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/xx/.ssh/config
debug1: /home/xx/.ssh/config line 1: Applying options for awshost1
debug1: Connecting to ec2-xx-xxx-xxx-xx.us-west-2.compute.amazonaws.com [54.201.134.83] port 22.
debug1: Connection established.
debug1: identity file /home/xx/.ssh/xx.pem type -1
debug1: identity file /home/xx/.ssh/xx.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug1: Host 'ec2-xx-xxx-xxx-xx.us-west-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/xx/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/xx/.ssh/xx.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
If your instance is EBS-backed (and it should be), all is not lost. You can move the instance to a machine and set a new key in the process:
http://blog.celingest.com/en/2013/11/14/replace-lost-keypair-ec2-instance/
There are two important pieces of information missing here:
did you create a new key, or did you overwrite your existing one (on your local machine)
how specifically are you attempting to ssh, that is to say what is the exact ssh syntax?
Assuming that you generated a new key to access your github account, that shouldn't affect your existing key pair to your AWS instance. You should be running something along the lines of
ssh -i /path/to/key.pem ubuntu#your-public-dns-name
Additionally, you should make sure that your key file has the appropriate permissions.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I read the SO on Permissions error, but still can't get pass publickey issue. Could you look at my log and tell me what else I need to do to fix this issue? BTW, I've already chmod 600 my keypair, too. I really appreciate your help.
(molaenv)van#mavericks:~/webdev$ ssh -v -i ~/webdev/molakeypair.pem ec2-user#ec2-54-86-32-54.compute-1.amazonaws.com
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to ec2-54-86-32-54.compute-1.amazonaws.com [54.86.32.54] port 22.
debug1: Connection established.
debug1: identity file /Users/van/webdev/molakeypair.pem type -1
debug1: identity file /Users/van/webdev/molakeypair.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 8f:c8:b1:6d:5a:7c:fa:10:95:46:d4:34:63:17:b5:bd
debug1: Host 'ec2-54-86-32-54.compute-1.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/van/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/van/webdev/molakeypair.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
What is the OS running on your EC2 instance ?
For Amazon published AMI, we are using ec2-user for Amazon Linux and Red Hat.
On Ubuntu, the default user is ubuntu
On Suse, the default user is root
For Community AMI, you have to check with the AMI creator what user is configured with your public key.
I've been using Amazon EC2 Instance up to this point running ubuntu primarily with django/python configurations, but i wanted to use a LAMP ami this time (with the same exact security group) , and it refuses to allow me to login:
Permission denied (publickey).
new-host:~ user$ ssh -v -i ThrowAwayEC2Server.pem ubuntu#xx.xxx.xx.xxx
OpenSSH_5.9p1, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug1: Connecting to xx.xxx.xx.xxx [xx.xxx.xx.xxx] port 22.
debug1: Connection established.
debug1: identity file ThrowAwayEC2Server.pem type -1
debug1: identity file ThrowAwayEC2Server.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA e7:ef:60:19:a8:cf:e6:04:9a:9c:f9:a7:b2:12:a5:4b
debug1: Host 'xx.xxx.xx.xxx' is known and matches the RSA host key.
debug1: Found key in /Users/user/.ssh/known_hosts:21
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/user/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: ThrowAwayEC2Server.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Anyone know why this isn't working? I've tried:
different ami's (lamp based, some bitnami)
using totally new .pem files
Can anyone help? Anything you see wrong that is happening?
Thanks!
different ami
This wasn't a problem so much with the syntax of the connection string, but a username error.
If you are attempting to connect to a bitnami, community-driven ami - the username is bitnami, so for example:
ssh -i yourkeyfile.pem bitnami#ec2-xxx-xxx-xxx-xx.compute-1.amazonaws.com