Here's the situation:
I generated and downloaded an ssh key as a .pem file using the EC2 console
I gave this key to my colleague with a PC and he has been able to log to the server with it just fine using PuTTY.
I have been trying for hours to figure out where to put the .pem file such that I can call
ssh -v [SERVER IP ADDRESS] -l [USERNAME]
I know that the IP address and the username are accurate because that's what my colleague is using. Where do I put the .pem file, and what permissions do I set? It seems that every tutorial on this stuff assumes you generated the key using ssh-keygen, which apparently handles all this for you, and the directions on EC2 don't tell you what to do beyond downloading the key.
My current setup is this:
I copied the text inside the .pem file and put it in ~/.ssh/id_rsa
I set the permissions to chmod 600 id_rsa
I'm geting a massive error that ends with the line "Permission denied (publickey)"
Thanks for your time.
Just use ssh -i keyfile.pem user#host.com. This will use the identity file (.pem that EC2 gave you)
Related
I have a MacBook and by mistake I tried to setup password less ssh access for GitHub and definitely messed things up. I am new to Macs and I have no idea how to solve the below.
When I try to establish a ssh connection, I get the following
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:DrvZ0osXO8YCnPwEaWyiGKf/SxQGcCZBoNcPrhEdKmI.
Please contact your system administrator.
Add correct host key in /Users/rakeshravi/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/rakeshravi/.ssh/known_hosts:4
RSA host key for rivanna.hpc.virginia.edu has changed and you have requested strict checking.
lost connection
From what I found in online forums, I was trying the following command but to no avail.
ssh-keygen -R hostname
I get the following as response.
do_known_hosts: hostkeys_foreach failed: No such file or directory
You can open with your favorite editor file /Users/rakeshravi/.ssh/known_hostsand delete line 4 and save the file. And next time you try to connect to the host you will be asked to add the new key to known_hosts
Add the option -o "StrictHostKeyChecking no". This will suppress any checking. Example:
ssh root#localhost -o "StrictHostKeyChecking no"
My two cents.
Other answers are fine, but here is what I did and worked fine.
Completely got rid of the following two files.
For me I am just playing with vms on azure, so its fine for me.
I've created a new NodeJS instance on Amazon Lightsail, and wish to connect to it from my Mac's command line. Not sure how to include the required SSH key in the connection command when it says Permission denied (publickey).
Go to the "SSH Keys" tab under your Lightsail Account page
Select the Default option under your region and download the key pair file
Will be a .pem file, ex. LightsailDefaultPrivateKey-us-west-2.pem
Open up your terminal and navigate to the directory where the above file is stored
Run chmod 600 [fileName] at the command line to restrict file permission so only you can read it
Run ssh -i [fileName] [username]#[Public IP] to establish the connection to Lightsail
Username and IP are available under the "Connect" tab on the Lightsail web dashboard for your resource
To use your existing ~/.ssh/id_rsa.pub
Login to the server using the browser client
Do nano ~/.ssh/authorized_keys
Get your local public key with xclip -sel clip < ~/.ssh/id_rsa.pub
Append the ~/.ssh/authorized_keys with the copied key
Restart the instance
Login locally using ssh ubuntu#[instance_public_ip]
To be able to connect to your amazon lightsail instance you need to download the key first.
Go to Accounts > SSH Keys (
https://lightsail.aws.amazon.com/ls/webapp/account/keys ) >
Download
(Make sure that you download the key for the same region where your instance is installed.)
Save it in a folder in your local machine. For Example- "Desktop > keys"
Open the terminal and navigate to the directory where the key is stored(cd desktop/keys )
Enter this command in terminal: chmod 600 keyfilename.pem (replace keyfile name with your actual key name e.g chmod 600 LightsailDefaultKey-eu-west-2.pem )
It is required that your private key files are NOT accessible by others.
This is why we have to change the file permissions
Run this command ssh -i keyfilename.pem username#ip
replace keyfilename.pem with your actual file name, username with your username(e.g bitnami or user) and replace IP with actual IP
You can find your IP and username on your instance page (https://lightsail.aws.amazon.com/ls/webapp/home/instances > Select Instance> Manage)
I spent hours figuring out how to add an additional key to login to my Wordpress/Bitnami Lightsail Instance.
I though that by adding new key pairs in [https://lightsail.aws.amazon.com/ls/webapp/account/keys][1], I could get direct access to my instances, but that was not the case. I always got "Permission denied (publickey)" when trying to connect via SSH/SFTP.
How to solve it?
You should add your public keys directly to your Lightsail instance:
Connect first to your instance via your Lightsail console. The link should looks like this: https://lightsail.aws.amazon.com/ls/remote/yourzone/instances/instancename/terminal?protocol=ssh
nano ~/.ssh/authorized_keys
It should looks something like:
ssh-rsa AFGGS#%NzaC1yc2EFDSGgpCvpVhFyRSpfsdfjhgasdDSduD$
This means that only one key par is allowed to connect via SSH/SFTP to your Lightsail instance (voilà!).
You should add to that file the new public key bellow:
(YOUR PREVIOUS KEY)ssh-rsa AFGGS#%NzaC1yc2EFDSGgpCvpVhFyRSpfsdfjhgasdDSduD$
(ADD NEW PUBLIC KEY) ssh-rsa ASJKAKKFS#%ASDFbsdjfhJHGJvpVhFyRSpfsdfjhgasdDSduD$
Restart your server and login from your local terminal:
ssh bitnami#yourpublicip -i /Users/youruser/.ssh/yourkeyfile
With this, I could also login via SFTP in Filezilla (Mac), adding the private key in the Site Manager.
I am trying to transfer a file to an ec2 instance. I followed the Amazon's documentation, this is what my command looked like:
scp -i [the key's location] Documents/[the file's location] ec2-user#[public dns]:[home/[destination]]
where I replaced all the variables with the proper things, I am sure it's the correct key and it has permission 400. When I call the command, it tells me the RSA key fingerprint, asks me if I want to continue connecting. I type yes and it replies with
Permission denied (publickey,gssapi-with-mic)
lost connection
I have looked at many of the other similar questions on stack overflow and can't find a correct way to do it.
Also ssh traffic is enabled on port 22.
The example amazon provided is correct. It sounds like a folder permissions issue. If you created the folder you are trying to copy to with another user or another user created it, chances are you don't have permissions to copy to it or edit it.
If you have sudo abilities, you can try opening access for yourself. Though not recommended to be left this way, you could try this command:
sudo chmod 777 /folderlocation
That gives complete read/write/executable permissions to anyone (hence why you shouldn't leave it at 777) but it will give you the chance to test your scp command to rule out permissions.
Afterwards if you aren't familiar with permissions, I suggest you read up on it. this is an example: http://www.tuxfiles.org/linuxhelp/filepermissions.html It is generally suggested you lock down the folder as much as possible depending on the type of information held within.
If that was not the cause some other things you might want to check:
are you in the directory of your key when executing the 'scp -i keyname' command?
do you have permissions to use the folder you are transferring from?
Best of luck.
The problem may be the user name. I copied a file to my Amazon instance and first tried to use the command:
scp -r -i ../.ssh/Amazon_server_key_pair.pem ./empty.test ec2-user#ec2-xx-yy-zz-tt.compute-1.amazonaws.com:~
and got the error:Permission denied (publickey).
I then realized that my instance is an Ubuntu environment and the user user is then "ubuntu" the correct command that worked for me is then:
scp -r -i ../.ssh/Amazon_server_key_pair.pem ./empty.test ubuntu#ec2-xx-yy-zz-tt.us-west-2.compute.amazonaws.com:~
The file "empty.test" is a text file containing the text "testing ...". Replace the address of your virtual server with the correct address to your instance's Public DNS. I have replaced the ip to my instance with xx.yy.zz.tt.
I have to use ubuntu# instead of ec2-user# because when i ssh i was seeing ubuntu# in my terminal, try changing to the name you see at your terminal
Also you have to set permission for pem file in your computer
chmod 400 /path/my-key-pair.pem
The below code will copy file from your computer to Ec2 instance.
scp -i ~/location_of_your_ec2_key_pair.pem ~/location_of_transfer_file/sample.txt ubuntu#ec2_your_ec2_instance.compute.amazonaws.com:~/folder_to_which_it_needs_to_be_copied
The below code will copy file from Ec2 instance to your computer
scp -i ~/location_of_your_ec2_key_pair.pem ubuntu#ec2_your_ec2_instance.compute.amazonaws.com:~/location_of_transfer_file/sample.txt ~/folder_to_which_it_needs_to_be_copied
I was facing the same problem. Hope this will work for you.
scp -rp -i yourfile.pem ~/local_directory username#instance_url:directory
Permission should also be correct to make this work.
Might be ones uses wrong username. Happened to me, was the same error msg -> Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
lost connection
I am attempting to connect to an Amazon EC2 Server via Mac Terminal. I have a PPK file that does not have a password attached to it, but when I try to connect I get a popup box that says "Enter the password for the SSH Private Key."
So we tried creating a PPK that has a password - but it does not accept the password, it still rejects the connection.
I have a Windows user who is able to connect using the same PPK on Putty.
Has anyone experienced this issue?
The mac is looking for a .pem key. The ppk is generated specifically for putty. If you don't have the original ppk key.
Download puttygen.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Then go to conversions -> export OpenSSH key. Save the output as a .pem file and try using that with the mac.
If this doesn't work can you post the command you're running from mac. Its possible you've got some extra parameter or something.
Maybe your problem is with permissions for your key. I know in linux its required to change the permissions.
Taken from the website http://om4.com.au/ssh-rsa-key-pairs-passphrases-leopard/
Clear the contents of your ~/.ssh directory and set the directory permissions to 700 (directories need to be "executable")
$ rm ~/.ssh/*
$ chmod 700 ~/.ssh
Generate your rsa key pair (there are variations for this, but this is the version I used):
$ ssh-keygen -t rsa
Set the permissions for all files in ~/.ssh to 600
$ chmod 600 ~/.ssh
Copy your id_rsa.pub key to your server’s .ssh/authorized_keys file
Add your passphrase to your keychain using this command:
$ ssh-add -K
(you will see Enter passphrase for [your system]/.ssh/id_rsa: )
The error Enter your password for the SSH key x can result from using a key of the wrong format (such as a ppk key) in ssh or sftp. This is because it is interpreted as an encrypted ssh key and so prompts for the passphrase, when actually there is no passphrase.
In OS X I was able to simulate this error by simply typing the following into the command line:
sftp -o IdentityFile=randomtextfile mysftpserver.com
The solution is to convert the file using puttygen as suggested by bwight.
In addition to the other answers, the issue might come from the fact you haven't specified which user you want to connect as.
For example ssh -i francky.pem 208.52.170.43 will ask you for your password on Mac, whereas ssh -i francky.pem root#208.52.170.43 shouldn't. Note that on Linux you don't specify the user.
I was running into the exact same problem in MAC, I found a quite simple way of getting rid of it.
Instead of using ssh -i IP address, use the following>
ssh user#IP
Hope you already found the answer after this long time :)
In my case, the problem was the file's break type. Try this:
1.- Open the .pem file with TextWrangler
2.- At Bottom of app, verify if the Break Type is "Windows(CRLF)".
This issue had me pulling my hair out for 20 min or so. Realized that I was able to connect successfully from another terminal window. In my case I just had to close out the current terminal window and use another or new window. Very strange, but may help you out.
I am new to EC2. I created my security credentials from this site:
http://paulstamatiou.com/how-to-getting-started-with-amazon-ec2
It worked great, I rebooted and now when I try to connect I get a login/password prompt. (Which I never set up.) After several attempts I get this error:
Permission denied (publickey,gssapi-with-mic).
What am I doing wrong?
Two possibilities I can think of, although they are both mentioned in the link you referenced:
You're not specifying the correct SSH keypair file or user name in the ssh command you're using to log into the server:
ssh -i [full path to keypair file] root#[EC2 instance hostname or IP address]
You don't have the correct permissions on the keypair file; you should use
chmod 600 [keypair file]
to ensure that only you can read or write the file.
Try using the -v option with ssh to get more info on where exactly it's failing, and post back here if you''d like more help.
[Update]: OK, so this is what you should have seen if everything was set up properly:
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: ec2-keypair
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Are you running the ssh command from the directory containing the ec2-keypair file ? If so, try specifying -i ./ec2-keypair just to eliminate path problems. Also check "ls -l [full path to ec2-keypair]" file and make sure the permissions are 600 (displayed as rw-------). If none of that works, I'd suspect the contents of the keypair file, so try recreating it using the steps in your link.
The key for me to be able to connect was to use the "ec2-user" user rather than root. I.e.:
ssh -i [full path to keypair file] ec2-user#[EC2 instance hostname or IP address]
+1
I noticed that for some AMIs like Amazon Linux, ec2-user#xxx.XX.XX.XXX would work. But for an ubuntu image, I had to use ubuntu# instead. It was never a problem with the .pem, just with the user name.
In my case it's because the permission for my home directory is 775, and SSH is not happy about it. It should work after executing:
server$ chmod go-w ~/
server$ chmod 700 ~/.ssh
server$ chmod 600 ~/.ssh/authorized_keys
I had very similar experience this afternoon. I was setting up django on EC2, and suddenly I cannot SSH into the box anymore. Glad I still had an active connection, so I modified /etc/ssh/sshd_config to set:
PasswordAuthentication yes
and set password for ec2-user, then I can login by entering the password.
However, after some googling I found this thread: http://ubuntuforums.org/showthread.php?t=577279. It turned out that during my setup of django I changed the permission for my home directory, and SSH is very strict about this. So the file permission must be set correctly.
I had met this problem too.And I found that happend beacuse I forgot to add the user-name before the host name:
like this:
ssh -i test.pem ec2-32-122-42-91.us-west-2.compute.amazonaws.com
and I add the user name:
ssh -i test.pem ec2-user#ec2-32-122-42-91.us-west-2.compute.amazonaws.com
it works!
Tagging on to mecca831's answer:
ssh -v -i generated-key.pem ec2-user#11.11.11.11
[ec2-user#ip-11.11.11.11 ~]$ sudo passwd ec2-user
newpassword
newpassword
[ec2-user#ip-11.11.11.11 ~]$ sudo vi /etc/ssh/sshd_config
Modify the file as follows:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# EC2 uses keys for remote access
#PasswordAuthentication no
Save
[ec2-user#ip-11.11.11.11 ~]$ sudo service sshd stop
[ec2-user#ip-11.11.11.11 ~]$ sudo service sshd start
you should be able to exit and ssh in as follows:
ssh ec2-user#11.11.11.11
and be prompted for password no longer needing the key.
Are you sure you have used the right instance? I ran into this problem and realized that something like 4 of the ubuntu instances i tried did not have SSH servers installed on them.
For a list of good servers see "Getting the images" about half way down. Sounds like you may be using something else... the default username is ubuntu on these images.
https://help.ubuntu.com/community/EC2StartersGuide
I was able to login using ec2-user
ssh -i [full path to keypair file] ec2-user#[EC2 instance hostname or IP address]
After about a half hour of searching and trying to debug this I was able to figure it out. My situation involved me using the same pem file for two different ec2 instance and it working for one and not the other.
My first instance it worked on was the standard aws linux ami amzn-ami-hvm-2014.03.2.x86_64-ebs. I simply used
ssh -i mypemfile.pem ec2-user#myec2ipaddress
and it worked.
I then launched a fedora instance Fedora-x86_64-19-20140407-sda and tried the same command but kept getting:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
After changing my username from ec2-user to fedora it worked!
ssh -i mypemfile.pem fedora#myec2address
None of the above helped me, but futzing with the user seemed like it had promise. For my config using 'ubuntu' was right.....
ssh -i [full path to keypair file] ubuntu#[EC2 instance hostname or IP address]
I recommend against setting a password as some other answers suggest. Using the key file is both safer (no one can guess your passwords) and more convenient (once you set up a config file). Here's a basic ~/.ssh/config:
Host my-ec2-server
HostName 11.11.11.11
User ec2-user
IdentityFile /path/to/generated-key.pem
Now you can just type ssh my-ec2-server and you're in! And as also mentioned in other answers, use -v to get extra info when your connection isn't working.
If the issue is consistent and happened about 10-15 times in a row even after changing file permissions to 400 or 600, then it is most certainly something is wrong on the ec2 instance, so to make sure:
Check the logs when you try to ssh to the instance by adding -v at the end and see either it gives out anything specific.
Make sure you use the correct name for ssh, like Ubuntu. Perhaps that depends on Linux distribution and users you added and either you've given permission for "root user" ssh.
Then if nothing helps, follow the documentation here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectingMindTerm
to fix that. It helped in my case, and it happened because of messed up directories/files permissions.
If you have a PPK file working on a PC, then export it as OpenSSH file using puttygen.exe for PC and use that on Mac (any Unix machine).
I was getting the same error --
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: ec2-keypair
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic)
As I was using a PPK file on Windows, I followed the steps as described above and Bingo!
$ ssh -i ec2-openssh-key root#ec2-instance-ip
I had the same problem using the AWS Toolkit for Eclipse. I created the Getting Started instance OK and opened a shell. However, the user was set to ec2-user. I used the Open Shell As... command and set the user to root. Then it worked.
Had a similar issue. Here are the steps used to setup SSH keys and forwarding on the Mac. Made these notes for myself - may help someone... check against your config.
The assumption here is there are no keys setup. If you already have the keys setup skip this section.
$ ssh‐keygen ‐t rsa ‐b 4096
Generating public/private rsa key pair.
Enter a file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]
Modify ~/.ssh/config adding the entry for the key file:
~/.ssh/config should look similar to:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
Store the private key in the keychain:
$ ssh‐add ‐K ~/.ssh/id_rsa
Go test it now with: ssh -A username#yourhostname
Should forward your key to yourhostname. Assuming your keys are added on you should connect without issue.
I was getting this error when I was trying to ssh into an ec2 instance on the private subnet from the bastion, to fix this issue, you've to run (ssh-add -K) as follow.
Step 1: run "chmod 400 myEC2Key.pem"
Step 2: run "ssh-add -K ./myEC2Key.pem" on your local machine
Step 3: ssh -i myEC2Key.pem root#ec2-107-20-4-100.compute-1.amazonaws.com
Step 4: Now try to ssh to EC2 instance that is on a private subnet without specifying the key, for example, try ssh ec2-user#ipaddress.
Hope this will help.
Note: This solution is for Mac.