I am trying to SSH to an EC instance.
These are the steps I followed and below is the error I got.
In the Amazon Console, I created a Key Pair and downloaded it
Changed the permissions of that pem file to 400(as written here)
Went to the running instances in the console and got my Public DNS
Added an inbound rule(SSH),0.0.0.0/0 to the group with description 'SecurityGroup for ElasticBeanstalk environment.' in the Security Groups tab in console
Executed this in consolessh -i <>my_key_filename>.pem ec2-user#<Public DNS>
And this is the output for that:
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ec2-54-254-148-94.ap-southeast-1.compute.amazonaws.com [54.254.148.94] port 22.
debug1: Connection established.
debug1: identity file mykey.pem type -1
debug1: identity file mykey.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA a1:2b:92:f6:cf:e3:ed:8a:60:0e:34:c0:27:24:6f:f7
The authenticity of host 'ec2-54-254-148-94.ap-southeast-1.compute.amazonaws.com (54.254.148.94)' can't be established.
RSA key fingerprint is a1:2b:92:f6:cf:e3:ed:8a:60:0e:34:c0:27:24:6f:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-54-254-148-94.ap-southeast-1.compute.amazonaws.com,54.254.148.94' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: aws_key.pem
debug1: Authentications that can continue: publickey
debug1: Offering DSA public key: id_dsa
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: mailid#gmail.com
debug1: Authentications that can continue: publickey
debug1: Trying private key: mykey.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Also, the instance I am trying to connect to is an Amazon Linux instance.
From your comments below your question : it looks like the order of your steps where incorrect.
First you need to create the keypair
then you need to tell ElasticBeanstak to use that key pair when it will start your instances
Public keys are injected into the instances at first boot. It is not possible for AWS to change the keypair after the instance has been started - AWS has no technical way to connect to your instance. (you can do it manually by upload files in ~/.ssh directory)
To learn more about how to use keypair with ElasticBeanstalk, have a look at this screenshot
Or just create an .ebextensions directory with an application.config file containing
- namespace: aws:autoscaling:launchconfiguration
option_name: EC2Keyname
value: "keyname"
More details about customising ElasticBeanstalk environment : http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html#customize-containers-format-options
Possible values are listed here http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig.html
More details about keypair can be found here : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
--Seb
Related
In AWS, I have created a Bastion host (10.0.10.182) using Amazon Linux 2 and from there I am able to connect to a EC2 private subnet instance (10.0.20.121) (amazon linux 2). (However, this works fine only for the first time.)
After connecting to the Private instance, in order to pull a git repo from github on the private instance, I run the ssh-keygen on the private instance and copy that to github Keys. I can see the .ssh dir in the home dir with the usual files - known_hosts, authorized_keys, id_rsa, id_rsa.pub.
When the original connection from bastion host to private ec2instance times out, I am unable to re-login to the private instance via the bastion host. I get the following message:
ssh -i TestVPC_NCal.pem ec2-user#10.0.20.121
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Here is the ssh debug log generated on the Bastion host:
######Begin ssh debug log ######### [ec2-user#ip-10-0-10-182 ~]$ ssh -v -i TestVPC_NCal.pem ec2-user#10.0.20.121 OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying
options for * debug1: Connecting to 10.0.20.121 [10.0.20.121] port 22.
debug1: Connection established. debug1: key_load_public: No such file
or directory debug1: identity file TestVPC_NCal.pem type -1 debug1:
key_load_public: No such file or directory debug1: identity file
TestVPC_NCal.pem-cert type -1 debug1: Enabling compatibility mode for
protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1:
Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000 debug1:
Authenticating to 10.0.20.121:22 as 'ec2-user' debug1:
SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex:
algorithm: curve25519-sha256 debug1: kex: host key algorithm:
ecdsa-sha2-nistp256 debug1: kex: server->client cipher:
chacha20-poly1305#openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC:
compression: none debug1: kex: curve25519-sha256 need=64
dh_need=64 debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1:
expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key:
ecdsa-sha2-nistp256 SHA256:5W++Ewk+lx2YXUUY1xhhttjKG3KVWvIOTvtp7THBFJc
debug1: Host '10.0.20.121' is known and matches the ECDSA host key.
debug1: Found key in /home/ec2-user/.ssh/known_hosts:2 debug1: rekey
after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting
SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after
134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1:
kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that
can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Next
authentication method: gssapi-keyex debug1: No valid Key exchange
context debug1: Next authentication method: gssapi-with-mic debug1:
Unspecified GSS failure. Minor code may provide more information No
Kerberos credentials available (default cache:
KEYRING:persistent:1000)
debug1: Unspecified GSS failure. Minor code may provide more
information No Kerberos credentials available (default cache:
KEYRING:persistent:1000)
debug1: Next authentication method: publickey debug1: Trying private
key: TestVPC_NCal.pem debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic debug1: No more authentication
methods to try. Permission denied
(publickey,gssapi-keyex,gssapi-with-mic). [ec2-user#ip-10-0-10-182 ~]$
########### End debug log ########
I wonder if the running the ssh-keygen on EC2 private instance is somehow causing the error. Any pointers to resolve this are very welcome!
I was able to resolve this issue by creating the TestVPC_NCal.pem file (associated with the EC2 private instance) on the EC2 private instance while the connection was working. The clue was in the log I posted in my question:
##############
Connecting to 10.0.20.121 [10.0.20.121] port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file TestVPC_NCal.pem type -1 debug1: key_load_public: No such file or directory debug1: identity file TestVPC_NCal.pem-cert type -1 debug1:
##############
When the connection timed-out overnight, I was able to log back in to EC2 private instance with no issues.
I have downloaded the default private key and am able to connect via SSH with no problem using that private key. In my Lightsail instance, I went to the SSH Keys tab, created a new key pair and downloaded the new private key (savng it in the correct location on my local machine with proper permissions). However, i am unable to connect using that new private key. Here is the output I get from the command: ssh -v -i ~/.ssh/test.pem me#x.x.x.x
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Volumes/Norman Data/daveh0/.ssh/config
debug1: /Volumes/Norman Data/daveh0/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to x.x.x.x port 22.
debug1: Connection established.
debug1: identity file .ssh/test.pem type -1
debug1: identity file .ssh/test.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to x.x.x.x:22 as 'me'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Bajjqc9SJlMHTB/OrEWKl4ATi6/wI+fB1C351fi5Iwk
debug1: Host 'x.x.x.x' is known and matches the ECDSA host key.
debug1: Found key in /Volumes/Norman Data/daveh0/.ssh/known_hosts:10
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: .ssh/test.pem
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
me#x.x.x.x : Permission denied (publickey).
I've got to be missing a step on the SSH Keys screen, but I can't seem to figure out what it would be. Can anyone help?
Keypairs are a feature of Linux. The way it works is:
Somebody tries to connect to the Linux computer using SSH, eg ssh -i key.pem username#IP-ADDRESS
The Linux computer looks in /home/USERNAME/.ssh/authorized_keys
If it finds a public key that matches the private key supplied in key.pem, then the connection is permitted
Therefore, since you created a new keypair, you will need to add the new keypair to the appropriate user's ~/.ssh/authorized_keys file.
Your example shows you as logging in as a user called me, so the public keypair should be added to /home/me/.ssh/authorized_keys.
When first launching a Lightsail or EC2 instance, you can specify a keypair and software on the instance will automatically add the associated public key to the authorized_keys file. However, you will need to do this step manually for an already-running instance.
For AWS Lightsail, I was able to login via SSH by appending my public key id_rsa.pub to remote authorized_keys, I used SFTP (Filezilla) to update authorized_keys file. For SFTP connection I downloaded ssh key from Accounts page.
I've configured my EC2 instance, and connected with SSH. But when I created a new Security Group with port rules I couldn't access via SSH anymore. Currently, my custom Security Group rules are:
SSH 0.0.0.0/0
HTTP 0.0.0.0/0
HTTPS 0.0.0.0/0
When I try ssh -v -i bodruk.pem ubuntu#ec2-54-149-134-92.us-west-2.compute.amazonaws.com I have the following error:
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Connecting to ec2-54-149-134-92.us-west-2.compute.amazonaws.com [54.149.
134.92] port 22.
debug1: Connection established.
debug1: identity file bodruk.pem type -1
debug1: identity file bodruk.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubu
ntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000
000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e2:13:af:e1:1b:70:f9:70:3b:cd:1d:7f:14:de:ce:90
debug1: Host 'ec2-54-149-134-92.us-west-2.compute.amazonaws.com' is known and ma
tches the ECDSA host key.
debug1: Found key in /c/Users/Thiago/.ssh/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: bodruk.pem
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Already tried this solution, but doesn't work. I changed the Key Pair twice and deleted the known_hosts file with no success.
Any idea?
Can you telnet to the instance with the ssh port? (telnet 'ip' 'port')
If you can telnet, so the problem probably in the Key Pair or something in your computer. And if not, its probably something with the Security Group and network.
I ran into this issue recently and the funny part is my pem file was owned by root instead of my user. When I did sudo chown user:group {pem file name}, I was able to ssh in without a problem.
As per Ben's answer, I created a key pair, downloaded the private key into ~/.ssh , changed the permissions to 600 and tried to ssh the instance ... but got unauthorized erro :
$ ssh -v -i ~/.ssh/aws-erwin16.pem jack#ec2-nn-nn-nnn-nnn.us-west-2.compute.amazonaws.com
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/jack/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to ec2-nn-nn-nnn-nnn.us-west-2.compute.amazonaws.com [54.69.113.179] port 22.
debug1: Connection established.
debug1: identity file /Users/jack/.ssh/aws-erwin16.pem type -1
debug1: identity file /Users/jack/.ssh/aws-erwin16.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 85:e4:69:56:21:4d:32:1c:e9:5c:83:a5:cc:28:03:39
debug1: Host 'ec2-nn-nn-nnn-nnn.us-west-2.compute.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/jack/.ssh/known_hosts:22
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/jack/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/jack/.ssh/aws-erwin16.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
if I change the user name for ubuntu , and it runs fine... get connecte d..;
You have confused the X.509 Certificates with the Amazon EC2 Keypairs. EC2 Keypairs are used to log in to EC2 instances.
In the EC2 console, find the keypairs section on the left, generate a keypair, and save the private key locally to your disk. OpenSSH searches the ~/.ssh directory by default. Run chmod 600 ~/.ssh/<filename> to set the correct permissions. You can then use that key to access your instance via SSH.
I was using my EC2 instance 1 hour ago, I uploaded my web page using scp to my server and everything was fine. I closed the connection with exit command and now I am trying to log in using the same command as before and I'm getting this:
$ ssh -v -i /cygdrive/c/tsearch.pem ubuntu#tsearch.com.mx
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Connecting to tsearch.com.mx [54.201.232.244] port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/tsearch.pem type -1
debug1: identity file /cygdrive/c/tsearch.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 3f:d4:cb:c0:db:7b:49:5e:0a:dc:1b:ec:4f:23:14:c3
debug1: Host 'tsearch.com.mx' is known and matches the ECDSA host key.
debug1: Found key in /home/Fernando/.ssh/known_hosts:6
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/tsearch.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
I have searched over the web, and I have found different answers, but none has worked (and I dont want to delete my amazon instance). Any ideas?
Worst case to recover the data in the instance. You can create an AMI from the instance, without rebooting. Then restart another instance using the AMI that you just created. Later, you can change your DNS (or Elastic IP) to point to your new instance.