Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

I can't login to my AWS instance using a newly-created SSH key. I have exhausted most of the ways to get the connection with the help from claude.ai, but in vain. Can anyone help!?

0

Here are what I have confirmed for the past several hours:

  1. The network connection to the instance is working (as evidenced by successful telnet and netcat tests to port 22)
  2. The SSH server is responding
  3. Double- and triple-checked if the key permissions and format are correct
  4. Verified if the security group settings is in order
  5. Then, I re-created the keypair again and repeated what I have done to make sure no point of failure exists.
  6. Nope! I did not try to reboot the instance.

Here is the copy of the verbose log:

$ ssh -v -i ~/FooGen20240924.pem -o PubkeyAuthentication=no ubuntu@ec2-3-25-53-1.ap-southeast-2.compute.amazonaws.com

OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022

debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *

debug1: Connecting to ec2-3-25-53-1.ap-southeast-2.compute.amazonaws.com [3.25.53.1] port 22.

debug1: Connection established. debug1: identity file /home/fubar002/FooGen20240924.pem type -1 debug1: identity file /home/fubar002/FooGen20240924.pem-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4

debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.10

debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.10 pat OpenSSH* compat 0x04000000

debug1: Authenticating to ec2-3-25-53-1.ap-southeast-2.compute.amazonaws.com:22 as 'ubuntu'
debug1: load_hostkeys: fopen /home/fubar002/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:ItDOyOF+J3jPI6hXTkTxMjFdUPO5bfMsAScEC9n4MSg debug1: load_hostkeys: fopen /home/fubar002/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host 'ec2-3-25-53-1.ap-southeast-2.compute.amazonaws.com' is known and matches the ED25519 host key. debug1: Found key in /home/fubar002/.ssh/known_hosts:1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/fubar002/FooGen20240924.pem explicit debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com> debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. ubuntu@ec2-3-25-53-1.ap-southeast-2.compute.amazonaws.com: Permission denied (publickey).

Topics
Management & GovernanceCompute
Tags
LinuxAmazon EC2AWS Command Line InterfaceWindows
Language
English
asked a year ago448 views
2 Answers
3

Hello.

Permission denied (publickey).

Check Key Permissions Ensure your private key file has the correct permissions.

chmod 400 path-to-your-key.pem

https://repost.aws/knowledge-center/ec2-linux-ssh-troubleshooting

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html

EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
  • Nick
    a year ago

    Yes, this is what I have done probably a dozen times. But it did not make any change. I meant it in the item 3 above. My ".pem" file shows the permission as follows:

    -r-------- 1 fubar002 fubar002 1678 Sep 24 16:36 /home/fubar002/FooGen20240924.pem

0

Using -o PubkeyAuthentication=no literally tells it not to let you with an SSH key, so remove that from test.

You say newly created key. Did you create the EC2 instance after creating the key and specify the new key? The SSH key is only injected into the instance once when it is created (on first boot). Instances are not updated to use new keys that you create later.

Are you sure about the username for the image. I see you are using ubuntu which is the default user for Ubuntu published images. Just to double check, most other images use the user ec2-user. Make sure you are trying the connection with the correct usernam.

Hope some of this helps!

AWS
EXPERT
answered a year ago
  • Nick
    a year ago

    Oh... are you sure saying that: "The SSH key is only injected into the instance once when it is created (on first boot). Instances are not updated to use new keys that you create later.The SSH key is only injected into the instance once when it is created (on first boot). Instances are not updated to use new keys that you create later."

    I believe you are not correct above. Granted, I have no rich experience using AWS but I have created Keypairs a couple of times after I started my instance. Only thing I had to concern was to make sure the instances had a inbound rule for the port 22 with my ip addresses.

    I did use them with no trouble at all without doing anything. Can anyone please confirm if iBehr is right?

  • Behrens, Isaac EXPERT
    a year ago

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replacing-key-pair.html

    You can change the key on the instance if you choose, but it is not re-injected when you add keypairs in the console.

    To add or replace a key pair

    1. Create a new key pair using the Amazon EC2 console or a third-party tool.
    2. Retrieve the public key from your new key pair. For more information, see Retrieve the public key material.
    3. Connect to your instance using your existing private key.
    4. Using a text editor of your choice, open the .ssh/authorized_keys file on the instance. Paste the public key information from your new key pair underneath the existing public key information. Save the file.
    5. Disconnect from your instance, and test that you can connect to your instance using the new private key file.
    6. (Optional) If you're replacing an existing key pair, connect to your instance and delete the public key information for the original key pair from the .ssh/authorized_keys file.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content