Connecting AWS EC2 instance asks for password although PEM file is provided
Solution 1
I am both happy and humbled to report that the problem was that I was trying to ssh with non-existing user. The tutorial I was following suggested to use a login name what did not correspond the user name in the respective AMI. This was suggested by Amazon support, when they double-checked their tutorial.
I am not sure if there is a way how to discover the default login name from the EC2 Management Console. At least a quick search for the correct user name in the properties did not turn up any matches.
Now I can log on also without providing the key file through -i option, because I've added the key to my keyring with ssh-add command.
Solution 2
Well, this could be client-side or server-side in terms of the reason it's failing.
Client-Side: Be sure your .ssh directory is permission 0700 and the EC2key.pem is 0600.
Server-Side: Be sure 'PubkeyAuthentication' is set to 'yes' in your sshd_config (if you are able to get in at all). You could also run the SSH service manually with debug mode (-d flag) to catch other potential reasons (again, if you have access).
Passiday
Updated on July 09, 2022Comments
-
Passiday almost 2 years
I've just created an EC2 instance on AWS. Before that, I created my key pair, downloaded the private key.
I'm now trying to log on to the newly created instance (using correct host name, of course, what I replaced here for security). I've added -v switch to get the debug output:
ssh [email protected] -i ~/EC2key.pem -v
Though I provide the key file, I am asked for password. Here's an excerpt from the debug output that might show what's going wrong:
debug1: Host 'myVirtualHost.compute-1.amazonaws.com' is known and matches the ECDSA host key. debug1: Found key in /home/myuser/.ssh/known_hosts:15 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /home/myuser/EC2key.pem debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Next authentication method: password [email protected]'s password:[asks for password here]
Why after "read PEM private key done: type RSA" the conclusion is "Authentications that can continue: publickey,password"?
-
Passiday about 11 yearsYes, and it still asks for password. The debug output is slightly different, though:
debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/myuser/EC2key.pem debug1: Authentications that can continue: publickey,password
-
Passiday about 11 yearsSorry for the mess, I didn't know there's no way to add linebreaks in the comment text.
-
Passiday about 11 yearsMy ~/.ssh dir permissions are drwx------, and pem file permissions are -rw-------, so I guess that matches your mentioned 0700 and 0600. But I don't have any way how to get in the server side. The one with using key file was supposed to be the initial way.
-
Mark Stanislav about 11 yearsWho created the AMI that you are using for your instance? It's entirely possible their configuration didn't work properly. If you're using an 'official' AMI or say one directly from Amazon, it should work fine.
-
Passiday about 11 yearsI was following directions from here, I am taking part in Udacity's CUDA course. So, AMI was generated from supposedly official template.
-
Mark Stanislav about 11 yearsI see. Well, I guess last idea is just to speak with them to verify no one else is having this problem. If your key is, in fact, the key you created and assigned to the instance, permissions are correct on your local files, there's not a ton left to test that I can think of until you have someone with access to that AMI directly. Sorry!
-
Passiday about 11 yearsThanks for trying :) When (if) I get it fixed, I will report back to this thread.
-
Rishabh about 11 yearskeyring should work, here is an article that should help you aws.amazon.com/articles/1233
-
Abhidemon over 6 yearsalestic.com/2014/01/ec2-ssh-username This is a list of default usernames that ec2 instances use.
-
dutzi over 3 yearsdoing this locked me out of my instance until I explicitly ran
ssh -i "path/to/pem_file" my.instance