I'm performing:
# copy public key to other hosts
for host in ec2-master.eu-west-1.compute.amazonaws.com \
ec2xxx.compute.amazonaws.com \
ec2xxx.compute.amazonaws.com; \
do ssh-copy-id -i ~/.ssh/id_rsa.pub $host; \
done
So I try to copy the key I've generated on ec2-master.eu-west-1.compute.amazonaws.com to the other servers.
But I still get
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
The authenticity of host 'ec2xxx.eu-west-1.compute.amazonaws.com (10.0.xx.xx)' can't be established.
ECDSA key fingerprint is 3a:63xx:a6:19:xx:23:d1:xx:06:22:xx:a0:b9:8c:xx:cf.
Are you sure you want to continue connecting (yes/no)?
So I got a permission denied. But I don't know why. What am I doing wrong?
Try changing the ssh-copy-id command to:
ssh-copy-id -i ~/.ssh/id_rsa.pub ec2-user#$host
(assuming you're using Amazon Linux -- use ubuntu as the user if you are using Ubuntu)
Update:
I think the problem may be because you are trying to copy a new key over to a host that only accepts logins using an existing key (no passwords allowed).
I couldn't get this to work with ssh-copy-id, but you can do it with a standard ssh command:
cat ~/.ssh/id_rsa.pub | ssh -i AWS_key.pem centos#$host "cat - >> ~/.ssh/authorized_keys"
Where AWS_key.pem is the private part of the key pair that AWS attached to your instance when you launched it.
SSH is trying to tell you that authentication into your hosts has failed and what authentication methods were tried.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
This is what the (publickey,gssapi-keyex,gssapi-with-mic) portion of the log output is telling you.
It is telling you it attempted to authenticate against publickey, gssapi-keyex, and gssapi-with-mic authentication methods.
Typically you or AWS provide an ssh keypair to be used prelaunch setup.
The sshd config is also set to authenticate using the keypairs (public + private key = Public Key Encryption hence publickey mentioned in the ssh log).
Therefore, your command
ssh-copy-id -i ~/.ssh/id_rsa.pub $host;
is wrong for a few reasons.
You don't specify a specific user to login against unless the username of your local host matches your remote machine (for AWS the user could be ec2-user, centos, ubuntu, etc
Even if the usernames were to match correctly, since AWS effectively (I am not familiar with GSSAPI) only enables ssh keypair authentication, you would only be able to login with the private key chosen or generated at EC2 instance creation.
If there were some alternative authentication mechanism configured on the host i.e. user:password then you would be able to run a modified version of the command.
REMOTE_USER=ec2-user
...
do ssh-copy-id -i ~/.ssh/id_rsa.pub $REMOTE_USER#$host
However, you would be prompted for a user/password each time.
Note The above command assumes you have enabled a user/pass authentication mechanism (Could be temporarily). However, for just 3 hosts I might just manually install the keypair at this point.
The language from the "Copy the key to a server" from sshd.com seems to imply that password-based authentication is enabled initially on the hosts.
"Once an SSH key has been created, the ssh-copy-id command can be used to install it as an authorized key on the server. Once the key has been authorized for SSH, it grants access to the server without a password."
I use this script and it works for me:
Сan you try this
for host in ${hosts[*]}
do
echo $host
ssh-keyscan $host | tee -a ~/.ssh/known_hosts
sshpass -p 'mypass' ssh-copy-id myuser#$host
done
I've setup ssh keys form server A to server B and I can login to server B without a password. I'm trying to setup a reverse ssh tunnel in a bash script. From the command line if I do
ssh -N -R 1234:localhost:22 user#mydomain.co.uk -p 22
form server A it works as expected i.e no password required, however if I use it in a script
#!/bin/bash
/usr/bin/ssh -N -R 1234:localhost:22 user#mydomain.co.uk -p 22
I get asked for the password
user#mydomain.co.uk's password:
How do I make it so it uses the keys?
You need to let ssh know where it should search for the keys, if they are not in standard location and not passphrase protected. The easiest thing is by specifying -i switch directly to ssh:
/usr/bin/ssh -i /path/to/key -N -R 1234:localhost:22 user#mydomain.co.uk -p 22
Or cleaner way in your ~/.ssh/config like this:
Host mydomain.co.uk
IdentityFile /path/to/key
But make sure the script is run with your user context, so the script will see the configuration file.
If you have keys in standard location (~/.ssh/id_rsa), your code should work just fine. Although it should work if you have your keys stored in ssh-agent, which you can verify using ssh-add -L before starting the script. ssh-agent also solve the problem, if he keys are passphrase protected.
I've installed multinode cluster of hadoop. Now I am trying to do passwordless ssh access to slave. i.e. my problem is that,when I start services from master it asks me password to start every service, and takes much time to start it.If anyone has solution then please help me
You have to generate and copy RSA key from Namenode to all the Datanodes.
user#namenode:~> ssh-keygen -t rsa
Just press 'Enter' for any passphrase
user#namenode:~> ssh user#datanode mkdir -p .ssh
user#datanode's password:
Finally append namenode's new public key to user#datanode:.ssh/authorized_keys and enter datanode's password one last time:
user#namenode:~> cat .ssh/id_rsa.pub | ssh user#datanoe 'cat >> .ssh/authorized_keys'
user#datanode's password:
You can test by
user#namenode:~> ssh user#datanode
I have an sftp connection to a server in Unix.
Without password, I use the syntax to connect and execute command
sftp -b $user#$server_name
Can anyone suggest me how can I write a shell script to connect a remote server non interactively using a password
Try with this below option,
lftp -u $user,$pass sftp://$host << --EOF--
cd $directory
put $srcfile
quit
--EOF--
You could use ~/.ssh/config file.
#
# ~/.ssh/config
#
Host servername
Hostname 127.127.127.127
Port 22
User root
#EOF: config
Then simply connect with "ssh servername" and if you don't want to use password you can use SSH key. Here is good tutorial on how to do that > http://www.cyberciti.biz/tips/linux-multiple-ssh-key-based-authentication.html
If you just want to pass user/server from terminal, you can do this.
#!/bin/bash
sftp -b "$1"#"$2"
then use it like this './sftp.sh user server'
use SCP like this;
scp -P 22 user#server:/dir/file.tgz ~/Desktop/
use SFTP like this;
sftp user#server:/dir/file.tgz ~/Desktop/file.tgz
You can also try this;
sftp user#host <<EOF
get /dir/file.tgz
rm /dir/file.tgz
EOF
The best way to do this would be to create a key pair on the client, and add the key to the target user's ~/.ssh/authorized_keys.
To create a key pair, run ssh-keygen and when it asks for a password, just hit return to indicate "no password". Then either run ssh-copy-id $user#$server_name or manually create a ~/.ssh/authorized_keys on the server and copy the contents of the ~/.ssh/id_rsa.pub from the client into it (ssh-copy-id isn't available on all machines, so on some you'll have to do it manually).
Now you should be able to run ssh or scp without a password, as it should use your key instead. If it doesn't work, make sure that the permissions on your ~/.ssh/ directory and contents are correct on both machines; the directory should be 0700 (drwx------) and the files should be 600 (-rw-------). Also check that key authentication is enabled on both the client and the server.
I am new to EC2. I created my security credentials from this site:
http://paulstamatiou.com/how-to-getting-started-with-amazon-ec2
It worked great, I rebooted and now when I try to connect I get a login/password prompt. (Which I never set up.) After several attempts I get this error:
Permission denied (publickey,gssapi-with-mic).
What am I doing wrong?
Two possibilities I can think of, although they are both mentioned in the link you referenced:
You're not specifying the correct SSH keypair file or user name in the ssh command you're using to log into the server:
ssh -i [full path to keypair file] root#[EC2 instance hostname or IP address]
You don't have the correct permissions on the keypair file; you should use
chmod 600 [keypair file]
to ensure that only you can read or write the file.
Try using the -v option with ssh to get more info on where exactly it's failing, and post back here if you''d like more help.
[Update]: OK, so this is what you should have seen if everything was set up properly:
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: ec2-keypair
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Are you running the ssh command from the directory containing the ec2-keypair file ? If so, try specifying -i ./ec2-keypair just to eliminate path problems. Also check "ls -l [full path to ec2-keypair]" file and make sure the permissions are 600 (displayed as rw-------). If none of that works, I'd suspect the contents of the keypair file, so try recreating it using the steps in your link.
The key for me to be able to connect was to use the "ec2-user" user rather than root. I.e.:
ssh -i [full path to keypair file] ec2-user#[EC2 instance hostname or IP address]
+1
I noticed that for some AMIs like Amazon Linux, ec2-user#xxx.XX.XX.XXX would work. But for an ubuntu image, I had to use ubuntu# instead. It was never a problem with the .pem, just with the user name.
In my case it's because the permission for my home directory is 775, and SSH is not happy about it. It should work after executing:
server$ chmod go-w ~/
server$ chmod 700 ~/.ssh
server$ chmod 600 ~/.ssh/authorized_keys
I had very similar experience this afternoon. I was setting up django on EC2, and suddenly I cannot SSH into the box anymore. Glad I still had an active connection, so I modified /etc/ssh/sshd_config to set:
PasswordAuthentication yes
and set password for ec2-user, then I can login by entering the password.
However, after some googling I found this thread: http://ubuntuforums.org/showthread.php?t=577279. It turned out that during my setup of django I changed the permission for my home directory, and SSH is very strict about this. So the file permission must be set correctly.
I had met this problem too.And I found that happend beacuse I forgot to add the user-name before the host name:
like this:
ssh -i test.pem ec2-32-122-42-91.us-west-2.compute.amazonaws.com
and I add the user name:
ssh -i test.pem ec2-user#ec2-32-122-42-91.us-west-2.compute.amazonaws.com
it works!
Tagging on to mecca831's answer:
ssh -v -i generated-key.pem ec2-user#11.11.11.11
[ec2-user#ip-11.11.11.11 ~]$ sudo passwd ec2-user
newpassword
newpassword
[ec2-user#ip-11.11.11.11 ~]$ sudo vi /etc/ssh/sshd_config
Modify the file as follows:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# EC2 uses keys for remote access
#PasswordAuthentication no
Save
[ec2-user#ip-11.11.11.11 ~]$ sudo service sshd stop
[ec2-user#ip-11.11.11.11 ~]$ sudo service sshd start
you should be able to exit and ssh in as follows:
ssh ec2-user#11.11.11.11
and be prompted for password no longer needing the key.
Are you sure you have used the right instance? I ran into this problem and realized that something like 4 of the ubuntu instances i tried did not have SSH servers installed on them.
For a list of good servers see "Getting the images" about half way down. Sounds like you may be using something else... the default username is ubuntu on these images.
https://help.ubuntu.com/community/EC2StartersGuide
I was able to login using ec2-user
ssh -i [full path to keypair file] ec2-user#[EC2 instance hostname or IP address]
After about a half hour of searching and trying to debug this I was able to figure it out. My situation involved me using the same pem file for two different ec2 instance and it working for one and not the other.
My first instance it worked on was the standard aws linux ami amzn-ami-hvm-2014.03.2.x86_64-ebs. I simply used
ssh -i mypemfile.pem ec2-user#myec2ipaddress
and it worked.
I then launched a fedora instance Fedora-x86_64-19-20140407-sda and tried the same command but kept getting:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
After changing my username from ec2-user to fedora it worked!
ssh -i mypemfile.pem fedora#myec2address
None of the above helped me, but futzing with the user seemed like it had promise. For my config using 'ubuntu' was right.....
ssh -i [full path to keypair file] ubuntu#[EC2 instance hostname or IP address]
I recommend against setting a password as some other answers suggest. Using the key file is both safer (no one can guess your passwords) and more convenient (once you set up a config file). Here's a basic ~/.ssh/config:
Host my-ec2-server
HostName 11.11.11.11
User ec2-user
IdentityFile /path/to/generated-key.pem
Now you can just type ssh my-ec2-server and you're in! And as also mentioned in other answers, use -v to get extra info when your connection isn't working.
If the issue is consistent and happened about 10-15 times in a row even after changing file permissions to 400 or 600, then it is most certainly something is wrong on the ec2 instance, so to make sure:
Check the logs when you try to ssh to the instance by adding -v at the end and see either it gives out anything specific.
Make sure you use the correct name for ssh, like Ubuntu. Perhaps that depends on Linux distribution and users you added and either you've given permission for "root user" ssh.
Then if nothing helps, follow the documentation here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectingMindTerm
to fix that. It helped in my case, and it happened because of messed up directories/files permissions.
If you have a PPK file working on a PC, then export it as OpenSSH file using puttygen.exe for PC and use that on Mac (any Unix machine).
I was getting the same error --
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: ec2-keypair
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic)
As I was using a PPK file on Windows, I followed the steps as described above and Bingo!
$ ssh -i ec2-openssh-key root#ec2-instance-ip
I had the same problem using the AWS Toolkit for Eclipse. I created the Getting Started instance OK and opened a shell. However, the user was set to ec2-user. I used the Open Shell As... command and set the user to root. Then it worked.
Had a similar issue. Here are the steps used to setup SSH keys and forwarding on the Mac. Made these notes for myself - may help someone... check against your config.
The assumption here is there are no keys setup. If you already have the keys setup skip this section.
$ ssh‐keygen ‐t rsa ‐b 4096
Generating public/private rsa key pair.
Enter a file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]
Modify ~/.ssh/config adding the entry for the key file:
~/.ssh/config should look similar to:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
Store the private key in the keychain:
$ ssh‐add ‐K ~/.ssh/id_rsa
Go test it now with: ssh -A username#yourhostname
Should forward your key to yourhostname. Assuming your keys are added on you should connect without issue.
I was getting this error when I was trying to ssh into an ec2 instance on the private subnet from the bastion, to fix this issue, you've to run (ssh-add -K) as follow.
Step 1: run "chmod 400 myEC2Key.pem"
Step 2: run "ssh-add -K ./myEC2Key.pem" on your local machine
Step 3: ssh -i myEC2Key.pem root#ec2-107-20-4-100.compute-1.amazonaws.com
Step 4: Now try to ssh to EC2 instance that is on a private subnet without specifying the key, for example, try ssh ec2-user#ipaddress.
Hope this will help.
Note: This solution is for Mac.