I encountered the permission denied error while trying to ssh into my aws ec2 instance - centos with a valid private key (.pem) file using the windows gitbash. Debug logs are as given below.
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to ec2-#####.ap-south-1.compute.amazonaws.com [####] port 22.
debug1: Connection established.
debug1: identity file mbrace.pem type -1
debug1: identity file mbrace.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to ec2-13-126-107-143.ap-south-1.compute.amazonaws.com:22 as 'centos'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:5Qu3MuE9zz27Ywx1d+dQyZwaC8KN/khaRLIRSUVLZ6s
debug1: Host 'ec2-13-126-107-143.ap-south-1.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/####/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: mbrace.pem explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: mbrace.pem
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
centos#ec2-######.ap-south-1.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Another reference file knownhosts file contents is as given below
.ssh/config/known_hosts
ec2-13-126-107-143.ap-south-1.compute.amazonaws.com,13.126.107.143 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz..........
Update
On advise from VONC, created a new key pair using ssh-key gen tool, which generated a .pub file and subsequently imported the key to aws ec2 successfully. On trying the command again, permission denied is the same result, though the logs change a bit. Here are the logs:
$ ssh -i "C:/Users/mbrace/.ssh/mbrace2.pem" centos#ec2-13-126-107-143.ap-south-1.compute.amazonaws.com -v
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to ec2-13-126-107-143.ap-south-1.compute.amazonaws.com [13.126.107.143] port 22.
debug1: Connection established.
debug1: identity file C:/Users/mbrace/.ssh/mbrace2.pem type -1
debug1: identity file C:/Users/mbrace/.ssh/mbrace2.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to ec2-13-126-107-143.ap-south-1.compute.amazonaws.com:22 as 'centos'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:5Qu3MuE9zz27Ywx1d+dQyZwaC8KN/khaRLIRSUVLZ6s
debug1: Host 'ec2-13-126-107-143.ap-south-1.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/mbrace/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: C:/Users/mbrace/.ssh/mbrace2.pem explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: C:/Users/mbrace/.ssh/mbrace2.pem
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
centos#ec2-13-126-107-143.ap-south-1.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Tried all methods given in the forum including changing permissions of .ssh folder and .pem file, but to no use. Do guide us as where we are going wrong.
Update 2
Just as you mentioned, recreated the key without any extension "mbrace2" and imported the .pub key to ec2 successfully under "key pairs". Now when we try to ssh into the server again, we encounter the same error (permission denied). Based on other answers, i also tried changing permissions of the key to 400,500,600 but there was no change in the status.
Also, when we add this code ^^^ (.no pub) at the end, it gives me this error:
bash: syntax error near unexpected token `('. So had to run the earlier said command without it.
Do guide us as where we are going wrong.
Update 3
As asked by you, here is the command and its corresponding output.
The Command
$ ssh -i "C:/Users/mbrace/.ssh/mbrace2" centos#ec2-13-126-107-143.ap-south-1.compute.amazonaws.com -Tv
The Output
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to ec2-13-126-107-143.ap-south-1.compute.amazonaws.com [13.126.107.143] port 22.
debug1: Connection established.
debug1: identity file C:/Users/mbrace/.ssh/mbrace2 type 0
debug1: identity file C:/Users/mbrace/.ssh/mbrace2-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to ec2-13-126-107-143.ap-south-1.compute.amazonaws.com:22 as 'centos'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:5Qu3MuE9zz27Ywx1d+dQyZwaC8KN/khaRLIRSUVLZ6s
debug1: Host 'ec2-13-126-107-143.ap-south-1.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/mbrace/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: C:/Users/mbrace/.ssh/mbrace2 RSA SHA256:+47/xVuTP15NDpN+2OZbSOIfQ9umTAi6P+i8vufO6q8 explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: C:/Users/mbrace/.ssh/mbrace2 RSA SHA256:+47/xVuTP15NDpN+2OZbSOIfQ9umTAi6P+i8vufO6q8 explicit
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
centos#ec2-13-126-107-143.ap-south-1.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Will attempt key: mbrace.pem explicit
That means you have a /c/Users/####/.ssh/config file which does explicitly reference in an IndentityFile filed the mbrace.pem file.
You need to make sure, following "EC2: Connect to your Linux instance using SSH", that (to emulate ssh -i /path/my-key-pair.pem my-instance-user-name#my-instance-public-dns-name):
the remote user (field User in the SSH config file) is the correct one (my-instance-user-name)
the key (private mbrace.pem in IdentityFile) is referenced through its full path (~/.ssh/mbrace.pem works, even on Windows)
the matching public key is visible in the .ssh/authorized_keys file on the instance.
the inbound SSH traffic from your IP address to your instance is enabled
To test a new key, you new to use its private key:
ssh -i "C:/Users/mbrace/.ssh/mbrace2" my-instance-user-name#my-instance-public-dns-name -v
^^^ (no .pub)
I tried to ssh a remote linux server with username and password on my Mac. But it shows the following mistake. It seems that it tries to login with rsa keys. But I want to login with password. (I can successfully login with password in Xshell in windows)
SSH command:
ssh -v -p 10022 qhdxliy#42.123.106.11
Debugging output:
OpenSSH_7.5p1, LibreSSL 2.5.4
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 52: Applying options for *
debug1: Connecting to 42.123.106.11 [42.123.106.11] port 10022.
debug1: Connection established.
debug1: identity file /Users/zhaokai/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/zhaokai/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/zhaokai/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/zhaokai/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/zhaokai/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/zhaokai/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/zhaokai/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/zhaokai/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_100.0
debug1: match: OpenSSH_100.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 42.123.106.11:10022 as 'qhdxliy'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64#openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64#openssh.com compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:iqMu6xmkaocbmHW4ejr0REqMGiIBVgaBz4CkocSwopI
debug1: Host '[42.123.106.11]:10022' is known and matches the RSA host key.
debug1: Found key in /Users/zhaokai/.ssh/known_hosts:7
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/zhaokai/.ssh/id_rsa
Authentication failed.
The password auth is tried after the public key. If you don't want your ssh client to try your public key first, use the PreferredAuthentications option, i.e.
ssh -o "PreferredAuthentications=password" [other options... ]
Source: the AUTHENTICATION section of ssh's manual page states:
The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, challenge-response authentication, and password authentication.
Authentication methods are tried in the order specified above, though PreferredAuthentications can be used to change the default order.
I am trying to set up a git server on my local mac machine.
I followed steps mentioned in the link.
But somehow even though I am able to ping the machine, when I try to connect to the machine using ssh git#ip_address.com, it gives error- "Permission denied (public key)"
Not able to find an answer for this error.
If someone faced the issue and has a solution, please let me know.
Thanks in advance.
My command line data:
Kaustubhs-Pro:~ kaustubh$ ssh git#192.168.43.115 -v
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 192.168.43.115 [192.168.43.115] port 22.
debug1: Connection established.
debug1: identity file /Users/kaustubh/.ssh/id_rsa type 1
debug1: identity file /Users/kaustubh/.ssh/id_rsa-cert type -1
debug1: identity file /Users/kaustubh/.ssh/id_dsa type -1
debug1: identity file /Users/kaustubh/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA
b2:59:8a:cc:f8:1a:76:8f:2a:6f:f5:a1:2b:f1:ff:10
debug1: Host '192.168.43.115' is known and matches the RSA host key.
debug1: Found key in /Users/kaustubh/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/kaustubh/.ssh/my_git_key
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /Users/kaustubh/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/kaustubh/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).
You have no valid key in your your actual user kaustubh that can be used for the SSH auth. So add your public key to the authorized_keys of your GIT user.
So you can use
ssh-copy-id git#192.168.43.115
To add your actual public key to the git authorized keys. You have to login with username and password for the first time.
Trying to deploy my first web app and am having difficulty SSH into AWS. When I enter:
ssh -v -i ec2-myportfolio.pem root#ec2-23-23-165-24.compute-1.amazonaws.com
I get Permission denied(public key). I looked at a couple of the other responses on stack over flow like
this and this, but neither resolved the issue. Below is the error I get. Thanks in advance for the help.
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
Warning: Identity file ec2-myportfolio.pem not accessible: No such file or directory.
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug1: Connecting to ec2-23-23-165-24.compute-1.amazonaws.com [23.23.165.24] port 22.
debug1: Connection established.
debug1: identity file /Users/jonathanschen/.ssh/id_rsa type 1
debug1: identity file /Users/jonathanschen/.ssh/id_rsa-cert type -1
debug1: identity file /Users/jonathanschen/.ssh/id_dsa type -1
debug1: identity file /Users/jonathanschen/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ec2-23-23-165-24.compute-1.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/jonathanschen/.ssh/known_hosts:8
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/jonathanschen/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/jonathanschen/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).
Jonathans-MacBook-Air-2:downloads jonathanschen$
I think your problem is in this line:
Warning: Identity file ec2-myportfolio.pem not accessible: No such file or directory.
Are you using the proper path reference and file name in your ssh command?
When trying to connect to EC2 over SSH I get the following error:
joshua-scotts-macbook-pro:.ec2 joshuascott$ ssh -v -i OFMoodle root#ec2-xxx-xxx-xxxx.compute-1.amazonaws.com
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to ec2-xxx-xxx-xxx-xx.compute-1.amazonaws.com [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file OFMoodle type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
debug1: match: OpenSSH_4.7 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ec2-xxx-xxx-xxx.compute-1.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/joshuascott/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: pk-xxxxxxxxxxxxxxxxxxxxxxxx.pem
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Trying private key: OFMoodle
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic).
I am completely at a loss. I have several other instances that I can connect to with out any problem.
At first I'd make sure the user is really root and not ubuntu or ec2-user.
Otherwise, it could be that the permissions on .ssh/ and .ssh/authorized_keys are borked.