Permission denied (public key) ssh ec2 instance mac

ssh amazon-ec2 hostname permissions

31,558

Solution 1

debug1: Trying private key: file.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

Your client sent the key to to the server, and the server didn't accept it. As far as your client cares, your private key and local file and directory permissions are all fine. You need to troubleshoot this from the server side. I don't know how EC2 servers are special, but if this were a normal Unix server, you'd check the following:

Look for messages in the server's log from sshd.
Check permissions the e2c-user's home directory and .ssh directory on the server.
Check the permissions for the ~ec2-user/.ssh/authorized_keys file on the server.
Check that the public key for this private key that you're trying to use is actually in authorized_keys on the server. This can be done by going to the EC2 server-->Instances-->(select your instance)-->Description-->Key pair name (This should be the same as the name of the key you are using)

Solution 2

OpenSSH is particular with how keys are stored and used. Do the following:

1) Create and ensure your ~/.ssh directory has the correct permissions:

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ ls -ld ~/.ssh
drwx------ 2 username group 4096 Jun 10 19:47 /Users/username/.ssh

2) Copy the private key (in your case the .pem file) to the ~/.ssh directory and set the appropriate permissions:

$ cp ~/Downloads/filename.pem ~/.ssh/filename.pem
$ chmod 600 ~/.ssh/filename.pem

3) Since you are using OS X make sure Finder didn't set any unnecessary extended attributes and remove them:

$ xattr -l ~/.ssh/filename.pem
$ xattr -d <attr_name> ~/.ssh/filename.pem

4) Now you can try using the key:

$ ssh -i ~/.ssh/filename.pem [email protected]

5) Once you have verified this work you can use the ~/.ssh/config file to make connecting to the remote host easier, rather than having to manually specify the identity file to use. For example:

Host remote.hostname.com
  User username
  IdentityFile ~/.ssh/filename.pem

From this point forward you can just run ssh remote.hostname.com to connect to your remote server.

31,558

jskye

Updated on September 18, 2022

Comments

jskye over 1 year

Update2:

$ ls -ld ~/.ssh
drwx------  8 user  staff  272  2 Oct 17:51 /Users/user/.ssh
$ ls -la ~/.ssh/config/file.pem 
-r--------@ 1 user staff 1692 2 Oct 17:11 /Users/user/.ssh/config/file.pem 
$ ls -la file.pem 
-rw-------@ 1 user staff 1692 2 Oct 17:11 localfile.pem

Update:

After switching -i and -v flags I now get:

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/user/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug1: Connecting to ec2-XX-XX-XXX-XXX.areacode.compute.amazonaws.com [IP] port 22.
debug1: Connection established.
debug1: identity file file.pem type -1
debug1: identity file file.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA fingerprint
debug1: Host 'ec2-XX-XX-XXX-XXX.ap-areacode.compute.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/user/.ssh/known_hosts:11
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: file.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

Im trying to ssh into amazon linux ec2 instance from my mac terminal. I followed these instructions: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

But I get Permission denied (publickey)

My security settings allow my public ip to ssh.

It initially succeeded in:

Permanently added 'ec2-XX-XX-XXX-XXX.areacode.compute.amazonaws.com,YY.YY.YYY.YYY' (RSA) to the list of known hosts.

$ ssh -i ec2vb.pem [email protected]
Permission denied (publickey).

$ ssh -i -v /path/to/ec2/file.pem [email protected]
Warning: Identity file -v not accessible: No such file or directory.
ssh: Could not resolve hostname /Developer/folder/ec2/file.pem: nodename nor servname provided, or not known

I also tried updating permission to chmod key 600 and copying my key to user .ssh/config folder?

Admin over 9 years

You need to flip the -i and -v flags. The path to the ssh key needs to follow the -i flag immediately.
Admin over 9 years

thanks @Gene i now get more debugging info. I also noticed that when i originally downloaded the pem file, i named it as my.key.pem but it downloaded as mykey.pem and shows as my.key.pem on aws console. anyhow, i tried renaming it too and still get same result.
Admin over 9 years

Please do an ls -ld ~/.ssh and ls -la .ssh/file.pem. I'm wondering if the permissions are incorrect.
Admin over 9 years

added permissions results to question update
Admin over 9 years

Your name is in the comment as well. You'll want to remove it there too. Also ~/.ssh/config should be a file, not a directory. OpenSSH expects it to be a file. Also, your pem file has extended attributes on it. That will need to be removed. Run xattr -l against it. Whatever the attribute is you can remove it with the xattr -d <attr_name> file.pem. It's probable the attribute for where it was downloaded from so this might work: xattr -d com.apple.metadata:kMDItemWhereFroms file.pem
Admin over 9 years

i created an empty config file in .ssh, what is supposed to be in it? (there was none by default). i removed the apple and google chrome metadata on the local pem file. There is also: com.apple.quarantine: %%;Google Chrome;%%
Admin over 9 years

Here is a helpful page that covers the ~/.ssh/config file.

jskye over 9 years

just tried this again. exactly how youve explained. I still get Permission Denied (public key)
jskye over 9 years

i think i might try DigitalOcean. thanks for your help though.
jskye over 9 years

i was able to SFTP like this https://www.youtube.com/watch?v=e9BDvg42-JI but still cant SSH
jskye over 9 years

also reproduced this on a new instance with same result
jskye over 9 years

ive moved to DigitalOcean for now but thanks for this info