Connecting AWS EC2 instance asks for password although PEM file is provided

security amazon-web-services amazon-ec2
41,859

Solution 1

I am both happy and humbled to report that the problem was that I was trying to ssh with non-existing user. The tutorial I was following suggested to use a login name what did not correspond the user name in the respective AMI. This was suggested by Amazon support, when they double-checked their tutorial.

I am not sure if there is a way how to discover the default login name from the EC2 Management Console. At least a quick search for the correct user name in the properties did not turn up any matches.

Now I can log on also without providing the key file through -i option, because I've added the key to my keyring with ssh-add command.

Solution 2

Well, this could be client-side or server-side in terms of the reason it's failing.

Client-Side: Be sure your .ssh directory is permission 0700 and the EC2key.pem is 0600.

Server-Side: Be sure 'PubkeyAuthentication' is set to 'yes' in your sshd_config (if you are able to get in at all). You could also run the SSH service manually with debug mode (-d flag) to catch other potential reasons (again, if you have access).

Share:
41,859
Passiday
Author by

Passiday

Updated on July 09, 2022

Comments

  • Passiday
    Passiday almost 2 years

    I've just created an EC2 instance on AWS. Before that, I created my key pair, downloaded the private key.

    I'm now trying to log on to the newly created instance (using correct host name, of course, what I replaced here for security). I've added -v switch to get the debug output:

    ssh [email protected] -i ~/EC2key.pem -v

    Though I provide the key file, I am asked for password. Here's an excerpt from the debug output that might show what's going wrong:

    debug1: Host 'myVirtualHost.compute-1.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/myuser/.ssh/known_hosts:15
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/myuser/EC2key.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
[email protected]'s password:[asks for password here]

    Why after "read PEM private key done: type RSA" the conclusion is "Authentications that can continue: publickey,password"?

  • Passiday
    Passiday about 11 years
    Yes, and it still asks for password. The debug output is slightly different, though: debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/myuser/EC2key.pem debug1: Authentications that can continue: publickey,password
  • Passiday
    Passiday about 11 years
    Sorry for the mess, I didn't know there's no way to add linebreaks in the comment text.
  • Passiday
    Passiday about 11 years
    My ~/.ssh dir permissions are drwx------, and pem file permissions are -rw-------, so I guess that matches your mentioned 0700 and 0600. But I don't have any way how to get in the server side. The one with using key file was supposed to be the initial way.
  • Mark Stanislav
    Mark Stanislav about 11 years
    Who created the AMI that you are using for your instance? It's entirely possible their configuration didn't work properly. If you're using an 'official' AMI or say one directly from Amazon, it should work fine.
  • Passiday
    Passiday about 11 years
    I was following directions from here, I am taking part in Udacity's CUDA course. So, AMI was generated from supposedly official template.
  • Mark Stanislav
    Mark Stanislav about 11 years
    I see. Well, I guess last idea is just to speak with them to verify no one else is having this problem. If your key is, in fact, the key you created and assigned to the instance, permissions are correct on your local files, there's not a ton left to test that I can think of until you have someone with access to that AMI directly. Sorry!
  • Passiday
    Passiday about 11 years
    Thanks for trying :) When (if) I get it fixed, I will report back to this thread.
  • Rishabh
    Rishabh about 11 years
    keyring should work, here is an article that should help you aws.amazon.com/articles/1233
  • Abhidemon
    Abhidemon over 6 years
    alestic.com/2014/01/ec2-ssh-username This is a list of default usernames that ec2 instances use.
  • dutzi
    dutzi over 3 years
    doing this locked me out of my instance until I explicitly ran ssh -i "path/to/pem_file" my.instance

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Restrict HTTP Access to Elastic Beanstalk
Where is my pem key file on EC2?
EC2 instance always ask me to enter passphrase for the pem during connection
Pricing of Key Pairs and Security Groups on AWS?
Are Amazon EC2 Private IPs reachable from any instance running in EC2?
Port 80 not accessible Amazon ec2
How to setup bastion host or Jumpbox in AWS?
How do I keep my Amazon Linux EC2 instance /var/log/messages from being filled with dhclient and ec2net messages?
Pre-configured EC2 VPN AMI
Loading credentials JSON with AWS SDK Results in Error