How do I resolve SSH connection issues to my Amazon EC2 Linux instance?

6 minute read

I can't use SSH to connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance and want to resolve the issue.

Short description

If you get Permission denied, Connection refused, or Resource temporarily unavailable error messages, then you might have connection issues to your Amazon EC2 instance.

To resolve SSH connection issues, use one of the following methods:

The AWSSupport-TroubleshootSSH automation
SSH with verbose messaging turned on
The Amazon EC2 serial console
Session Manager, a capability of AWS Systems Manager

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Make sure that you have the following details:

The correct private key (.pem file) associated with the instance
The correct username for your Linux distribution
The IP address or DNS name of your instance
Network connectivity to your instance

Run the AWSSupport-TroubleshootSSH runbook

The AWSSupport-TroubleshootSSH automation helps you identify and automatically resolve SSH instance connect issues.

Prerequisites:

Copy the instance ID of the Amazon EC2 instance that you want to troubleshoot.
Meet the prerequisites for the EC2Rescue for Linux tool that the runbook installs.

You can use the AWS CLI to run the AWSSupport-TroubleshootSSH automation.

Or, use the Systems Manager console and configure the following settings:

Under Automation document, choose AWSSupport-TroubleshootSSH.
Under Document details, choose Default version at runtime for Runbook version.
Under Input parameters, enter the unreachable instance for InstanceID and FixAll for Action.

For more information about the AWSSupport-TroubleshootSSH Automation, see Smart RDP and SSH remediation with AWS Systems Manager Automation API actions.

Use SSH with verbose messaging turned on

Complete the following steps:

Use SSH to connect to your Linux instance with the verbose messaging option turned on:
```
user@localhost:~$ ssh -vvv -i my_key.pem ec2-user@11.22.33.44
```
Note: Replace my_key.pem with your private key file and ec2-user@11.22.33.44 with your username. For more information, see Connect to your Linux instance using an SSH client.
To determine the cause of your issue, review the error messages in the output of the SSH client.
After you identify your error message, see the Resolve SSH errors section to resolve your issue.

To learn more about verbose messaging or troubleshooting other types of error messages, see How do I resolve SSH connection issues to my Amazon EC2 Linux instance?

Use the Amazon EC2 Serial console to connect to your Nitro-based and bare metal instances

To troubleshoot SSH issues directly on your instance, you can use the EC2 serial console for Nitro-based and bare metal instances.

Note: If you're using the EC2 serial console for the first time, then review the prerequisites and configure access before you connect to the instance.

If you get a black screen after you connect to the instance, then complete the following tasks:

Use the System Request (SysRq) key to troubleshoot.
Use SysRq, the Amazon EC2 console, or the AWS CLI to reboot your instance.
Use your own key and an SSH client to connect to your instance.

Use Session Manager

You can use Session Manager to connect to your instance on the Amazon EC2 console. After you connect, you can run bash commands on the instance the same way that you do with other connection methods.

Resolve SSH errors

"Connection timed out" or "Connection refused"

The Connection timed out error occurs when the server doesn't respond to the client's request. The Connection refused error occurs when the instance reaches the host but actively rejects the connection because no service is listening on the SSH port. To resolve these issues, see How do I troubleshoot "Connection refused" or "Connection timed out" errors when I use SSH to connect to my EC2 instance?

If you get a Connection timed out error on a virtual private cloud (VPC), then you might have a network configuration issue. Incorrect configurations of your security settings, network access control lists (network ACLs), VPC route tables, or local firewall can cause this issue. To resolve this issue, see How do I troubleshoot Amazon EC2 instance connection timeout errors from the internet?

"Permission denied" or "Authentication failed"

The Permission denied or Authentication failed errors occur when you can't authenticate through SSH to access your instance. Key or permission configuration issues can cause this issue. To resolve this issue, see How do I resolve the "Permission denied (publickey)" or "Authentication failed, permission denied" errors when I access my EC2 instance?

"Server refused our key"

The Server refused our key error occurs when you use SSH to try to connect to an instance and use an incorrect private key, username, or permissions. Or, an incorrectly configured SSH server configuration can cause this issue. To resolve these issues, see Why do I receive the "Server refused our key" error message when I try to connect to my EC2 instance through SSH?

"imported-openssh-key" or "Putty Fatal Error"

The imported-openssh-key or Putty Fatal Error errors occur when you use an incorrect username to connect to an EC2 Linux instance through SSH. Or, you use the wrong private key during a SSH session negotiation. To resolve these issues, see Why do I receive the errors "imported-openssh-key" or "PuTTY Fatal Error" when I connect to my Amazon EC2 Linux instance?

"Enter passphrase for key 'my_key.pem'"

The Enter passphrase for key 'my_key.pem' error occurs when you created a password for your key file, but you didn't manually enter the password. To resolve this issue, manually enter the password. Or, use ssh-agent to automatically load the key.