I have just launched a new Amazon AWS EC2 instance. It is a Suse server.
I am attempting to connect to it through SSH using my private key. It has been 'Permanently added' to my 'to the list of known hosts.' with my private key.
However -
I am not logged in to the server. It is requesting a password. Though it is supposed to use my private key without a password. (as described here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html)
What should I do?
--
More details:
I ran it again with debug: added -v: ssh -v -i ...
These are the last few lines in the shell (up to here it seems to be fine) before I am asked for pwd:
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: my-private-key.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
I have just solved this. It is a bit of a workaround. The problem may have been the type of server used, Suse. I used ec2-user for username, but it may be different for different servers. This is the one for Amazon Linux AMI (and also for Ubuntu I believe), but apparently not for Suse.
I stopped (/terminated) this instance, and launched a new AMI Amazon Linux server instance instead.
Connecting to SSH there worked like a charm. Using ssh -v -i my-private-key.pem ec2-user#publicaddressblahblah.compute.amazonaws.com
I was not asked for a pwd here.
If your local box is Linux
The first thing you want to make sure of is that you have your key loaded into ssh-agent and into ssh-add (on your client machine).
08:10:51 ~$ ssh-agent
SSH_AUTH_SOCK=/var/folders/ps/1dvr90bd6p3blnyrnpyxnryhv45qg1/T//ssh-K8VbUYmYYj4w/agent.9087; export SSH_AUTH_SOCK;
SSH_AGENT_PID=9088; export SSH_AGENT_PID;
echo Agent pid 9088;
Run each of these lines (to declare the variables you need). Then run ssh-add.
08:17:33 ~$ ssh-add
Enter passphrase for /Users/kyle/.ssh/id_rsa:
Identity added: /Users/kyle/.ssh/id_rsa (/Users/kyle/.ssh/id_rsa)
To put it all in one line:
$ eval `ssh-agent`; ssh-add
Workaround to make sure you're loading the right key
You can tell SSH to load a specific key using the -i option.
$ ssh -i ~/.ssh/other_rsa ec2-user#<ip>
Username woes
If this is an Amazon Linux box, the user is ec2-user. For some AMIs, they have other users set up (ubuntu on ubuntu). Check the documentation to see if they have any specific requirements.
$ ssh ubuntu#IP
On trying with user "root", it worked for me.
ssh -i root#server-name
The documentation says the user could be either ec2-user or root:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
i solved this by changing my proxy server from Hk to Japan. my ec2 instance is in japan, but my proxy server is in Hk, so it let me type pwd, but when i change my proxy server to Japan, no need to type the pwd
Related
I've created a user and copied the public key to .ssh/authorized_key for that new user and also I've set the pubkeyauthentication to yes on /etc/ssh/sshd_config after saving the file restarted the sshd service.
When I try to ssh from the new user I am getting error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
Am I missing any step here to ssh from the new user account?
When I check the status for sshd.servive I see error:
AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys xxxx SHA256:84NyibLXFppE4BGIM+1e5iO...status 22
Had the same issue error: AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys ec2-user.
Make sure the file permission is user only (600) in the $HOME/.ssh directory on the SSH client side host.
"error: AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys ...snip... failed, status 22" error #20
FYI
To debug:
sudo tail -f /var/log/secure to monitor the reason why SSH refuses the connection.
Make sure $HOME/.ssh/authorized_key content on EC2 instance is correctly match with your ssh private key in the SSH client host.
Make sure correct private key is being used, use -i option to explicitly specify which key you use.
You might want to check the algorithm you are using to generate the key.
I saw exactly the same error message when using the ECDSA algorithm but fixed the problem by using RSA instead (ssh-keygen -t rsa).
If you want to dig deeper you can try
ssh -Q key
to get a list of supported key types.
I have an AWS EC2 instance which is running Rstudio and Shiny Server on an ubuntu instance.
I have a Windows machine and have up until recently used PuTTY to connect to my instance (using ssh). Using PuTTY I also use ssh tunneling to localhost:8787. I can do this through the GUI or PLINK, both work fine ie.
> plink -i myprivatekey.ppk -L 8787:localhost:8787 ubuntu#IPaddressAWS
Or by using the GUI and going to Auth -> tunneling and setting it up that way.
Then I am able to open my browser and go to localhost:8787 and I get an Rstudio login.
The Problem
Now recently I started using multipass to connect to AWS via ubuntu to remove the middle man (PuTTY (Yes add a middle man to remove a middle man)). However I cannot get the tunneling to work.
$ ssh -i myprivatekey.pem -L 8787:localhost:8787 ubuntu#IPaddressAWS
But when I go to localhost:8787 there is nothing there. I thought that what I did using PuTTY was the same as that. I have tried some variations that I have found online such as
ssh -N -L SOURCE-PORT:127.0.0.1:DESTINATION-PORT -i KEYFILE ubuntu#IPAdressAWS
When I add the verbose option -v, the logs seem okay;
Authenticated to MY INSTANCE ON AWS
debug1: Local connections to LOCALHOST:8787 forwarded to remote address localhost:8787
debug1: Local forwarding listening on ::1 port 8787.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 8787.
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00#openssh.com want_reply 0
I could well be missing something very obvious (not great with linux). My main query is that: Isn't what I did using PuTTY the same as what I have tried using ubuntu?
Amazon EC2 instance: Server refused our key while using amazon server as well as Ubuntu server.please help me how to resolve this issue. i am very new to AWS services..i have strucked from 2 days ..please help me get out this.
You have to edit this file in the ubuntu server
cat /etc/ssh/sshd_config
...
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa
What is the error you are getting ! Try
$chmod 400 key.pem
and then try to ssh using
$ ssh -i key.pem ubuntu#IPAddress
Another mistake which people generally make is using right user. If your server is ubuntu; then user name should be ubuntu; else try user ec2-user
If you are re-using a connection configuration in putty you were using previously to connect to a different ec2 instance of a different type, make sure you change the name (located in Connection -> Data) to ubuntu
I am trying to connect to my ec2 instance from my chromebook using the secure shell extension but I keep getting the following error:
Loading NaCl plugin... done.
ssh: connect to host (public DNS) port 22: Connection refused
NaCl plugin exited with status code 255.
I have been following the steps on this site but with 0 success.
http://www.mattburns.co.uk/blog/2012/11/15/connecting-to-ec2-from-chromes-secure-shell-using-only-a-pem-file/
Help please.
If you're doing this on your chromebook, you should have developer mode enabled so that you can enter the console and execute Linux commands. Once developer mode is enabled, enter the console with ctrl+alt+t and then type in shell.
First you'll want to change the permissions of your .pem key. The ssh keygen won't run if the permissions aren't restricted enough.
sudo chmod 400 myKeyPair.pem
Next you'll want to generate your own public key with ssh-keygen like mentioned in the other links.
ssh-keygen -y -f myKeyPair.pem > myKeyPair.pub
After this, you'll want to create a file with no extension and the private key pair inside.
touch myKeyPair
After this, copy the contents of the .pem file to the file with no extension, myKeyPair.
sudo cat myKeyPair.pem > myKeyPair
Next you'll want to open up the secure shell extension, which can be found here.
Enter your connection information for your machine and don't forget to specify the port number. When it comes to importing the key pair, select both the myKeyPair.pub and the myKeyPair files using ctrl.
That's it, you should be connected!
I cannot connect to any machine I create on EC2 that belongs to the C3 family.
I have no problem connecting with SSH to any other type of machine.
What do I need to do to further debug this?
The steps I've taken:
I create a t1.micro machine with the same image (an ubuntu 13.10 64bit AMI ami-2f252646), and the same key-pair, and hte same security group. It works fine.
I ssh to a t1.micro machine, and then ssh again from that machine to the C3 machine. That tells me the machine is up and running and my problem is connecting to the C3 machine from my PC directly (going through the office router).
I try to telnet to the t1.micro machine on port 22 - I get a connection.
I try to telnet to the C3 machine on port 22 - does not work.
I try to telnet to the C3 machine on port 22 from another PC, not from the office - I get a connection.
I tried this with several C3 type machines, all iwht the same result.
So:
The machine is up and running, and can accept connections.
There is obviously a problem in the coupling between my office connection and the C3 machine.
My office connection works fine with any other type of m1/c1/g1/m2 machine, so it's only the "3" family that has that problem.
I'm at a loss on how to solve this, or even debug this further. Right now I'm tunneling to my machine through a proxy t1.micro machine...
My operating system is itself Ubuntu 13.10
Here is a gist link to the output of my ssh -vvv command
It seems to get stuck at debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Solved it, with the help of AWS professional (paid) services.
The problem is with some of the authentication protocols.
I have a high (9000) MTU (minimal transfer unit) configured in my network connection, I need this to access big chunks of data.
The solution is either to lower the MTU to below 1400 (which is not good for me, because I need it), or to change the SSH config, which worked for me.
sudo vi /etc/ssh/ssh_config
and uncomment the lines starting with Ciphers and MACs
mine says:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1,umac-64#openssh.com,hmac-ripemd160
This is a bug from Ubuntu 12.10 and onwards (it works in 12.04 and below)
There is another option besides using just the provided pem with an Ami that you've created yourself.
Go back and spin up the current image on an instance size that you know works. Ssh into the instance as the main user and then create a secondary user and add them to the sudoers group.
sudo useradd -d /home/myuser -m myuser
sudo usermod -a -G sudo myuser
Then change to the new user and go to their home directory and create a .ssh folder, change this to 0700. Go inside the .ssh directory an vi (or your text editor of choice) and create an authorized_keys file.
Insert your PUBLIC key contents into this file.
Change the permissions on this file to 0600.
sudo su myuser
cd ~
mkdir .ssh
chmod 0700 .ssh
cd .ssh
vi authorized_keys
chmod 0600 authorized_keys
Exit out of the user. Before you exit the box you probably want to edit (as sudo) /etc/passwd and change the users shell from sh to bash.
Exit out of the box and test connecting with your new user before returning your new Ami.
Now spin up the new ami as a C3 instance and connect in with your user.