By using AWS re:Post, you agree to the Terms of Use

Permission denied (publickey,gssapi-keyex,gssapi-with-mic). when using putt

0

Team

I have created a public and private instances using the same key. I am able to connect to public instance using my Putty from windows. After I login to the public instance, I am able to ping the private instance IP address without any issue. But when I try to ssh to the private instance from public instance, I am getting the following error.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
I am stuck in this step and unable to find any suitable solution on the internet.
Any one can help me move forward is much appreciated.

Thanks
Chandra

asked 3 years ago2832 views
6 Answers
0

Hi Chandra, please double check that the **.pem file that you are using on your public EC2 instance matches the exact same contents as the **.pem file you used to generate the **.ppk file for Putty on your Windows box. (i.e. the **.pem file starts with "---BEGIN RSA PRIVATE KEY---" and ends with "---END RSA PRIVATE KEY---". If they are the same, Launch another EC2 instance into the private Subnet and see if you can SSH into that box (i.e. perhaps you accidentally selected the wrong Key/Pair for the EC2 instance on the private Subnet?). If both of those fail, please cut/paste the error output from the ssh command.
-randy

answered 3 years ago
0

That being said, storing the private SSH key (especially the same one used to access your bastion) on your bastion host in a production environment is not a good security practice.
https://aws.amazon.com/es/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/

answered 3 years ago
0

Hi

Once I restarted both Private and Public instances, I was able to SSH not sure what was the issue in the first place.
[ec2-user@ip-10-x-x-1x3 ~]$ ssh ec2-user@1x.x.1.x8x
The authenticity of host '1x.x.1.x8x (1x.x.1.x8x)' can't be established.
ECDSA key fingerprint is SHA256:6ZUOgbGau0TPbhRtqfSnTtAB4aXLONW3ZQaWw02QLxE.
ECDSA key fingerprint is MD5:cc:0a:f5:b4:e1:61:6e:84:e8:75:7d:04:75:af:f1:3f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.184' (ECDSA) to the list of known hosts.

   __|  __|_  )  
   _|  (     /   Amazon Linux 2 AMI  
  ___|\___|___|  

Can u throw light what could be the issue?

Thanks
Chandra

answered 3 years ago
0

Hi Chandra, in your original message, you stated that you created both EC2 instances with the same key.

You will get the error message that you specified when you don't include the private key when logging into your private EC2 instance.
i.e. change ssh ec2-user@1x.x.1.x8x
needs to be something like: ssh -i MyEC2KP.pem ec2-user@1x.x.1.x8x

You will need to create the .pem file on your public machine (bad security practice, but just so that you can get it to work)
sudo chmod 400 on the .pem file
and then run the ssh command to the private instance
You can see my "reproducing" of the error, and getting it to work below...

rtakeshi@DESKTOP-OT2QIS0:~$ ssh -i "MyEC2KP.pem" ec2-user@ec2-3-93-232-168.compute-1.amazonaws.com
The authenticity of host 'ec2-3-93-232-168.compute-1.amazonaws.com (3.93.232.168)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxx+OqawclOaMv//1sZtopOXjC8YkH0o0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-3-93-232-168.compute-1.amazonaws.com,3.93.232.168' (ECDSA) to the list of known hosts.

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
19 package(s) needed for security, out of 28 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-10-192-10-25 ~]$ ssh ec2-user@10.192.11.93
The authenticity of host '10.192.11.93 (10.192.11.93)' can't be established.
ECDSA key fingerprint is SHA256:hfxxxxxxxxxxxxxxxxxSHGe5mL0.
ECDSA key fingerprint is MD5:xxxxxxxxxxxxxxxxxxxxxxxx3:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.192.11.93' (ECDSA) to the list of known hosts.
Permission denied (publickey).
[ec2-user@ip-10-192-10-25 ~]$ ls
[ec2-user@ip-10-192-10-25 ~]$ vi MyEC2KP.pem
[ec2-user@ip-10-192-10-25 ~]$ sudo chmod 400 MyEC2KP.pem
[ec2-user@ip-10-192-10-25 ~]$ ssh -i MyEC2KP.pem ec2-user@10.192.11.93

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
[ec2-user@ip-10-192-11-93 ~]$

Let me know if that makes sense.
-randy

Edited by: rtakeshi on Jul 31, 2019 1:41 AM

answered 3 years ago
0

Hello, i know is an old thread but i have the same issue.
Even if both ec2 instances are on the same subnet.
Is there another way to do this? Copying everytime the public key to the EC2 instance it's not very comfortable.
Thank you.

Edited by: lukian777 on Apr 16, 2021 5:20 AM

answered a year ago
0

I tried to create the pem file with vi command, but It said this when ssh 'Enter passphrase for key 'Abc.pem': ' How should I do?

Thank you very much.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions