Permission denied (public key) ssh ec2 instance mac
Solution 1
debug1: Trying private key: file.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Your client sent the key to to the server, and the server didn't accept it. As far as your client cares, your private key and local file and directory permissions are all fine. You need to troubleshoot this from the server side. I don't know how EC2 servers are special, but if this were a normal Unix server, you'd check the following:
- Look for messages in the server's log from sshd.
- Check permissions the e2c-user's home directory and .ssh directory on the server.
- Check the permissions for the ~ec2-user/.ssh/authorized_keys file on the server.
- Check that the public key for this private key that you're trying to use is actually in authorized_keys on the server. This can be done by going to the EC2 server-->Instances-->(select your instance)-->Description-->Key pair name (This should be the same as the name of the key you are using)
Solution 2
OpenSSH is particular with how keys are stored and used. Do the following:
1) Create and ensure your ~/.ssh directory has the correct permissions:
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ ls -ld ~/.ssh
drwx------ 2 username group 4096 Jun 10 19:47 /Users/username/.ssh
2) Copy the private key (in your case the .pem file) to the ~/.ssh directory and set the appropriate permissions:
$ cp ~/Downloads/filename.pem ~/.ssh/filename.pem
$ chmod 600 ~/.ssh/filename.pem
3) Since you are using OS X make sure Finder didn't set any unnecessary extended attributes and remove them:
$ xattr -l ~/.ssh/filename.pem
$ xattr -d <attr_name> ~/.ssh/filename.pem
4) Now you can try using the key:
$ ssh -i ~/.ssh/filename.pem [email protected]
5) Once you have verified this work you can use the ~/.ssh/config file to make connecting to the remote host easier, rather than having to manually specify the identity file to use. For example:
Host remote.hostname.com
User username
IdentityFile ~/.ssh/filename.pem
From this point forward you can just run ssh remote.hostname.com
to connect to your remote server.
Related videos on Youtube
jskye
Updated on September 18, 2022Comments
-
jskye over 1 year
Update2:
$ ls -ld ~/.ssh drwx------ 8 user staff 272 2 Oct 17:51 /Users/user/.ssh $ ls -la ~/.ssh/config/file.pem -r--------@ 1 user staff 1692 2 Oct 17:11 /Users/user/.ssh/config/file.pem $ ls -la file.pem -rw-------@ 1 user staff 1692 2 Oct 17:11 localfile.pem
Update:
After switching
-i
and-v
flags I now get:OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/user/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: /etc/ssh_config line 53: Applying options for * debug1: Connecting to ec2-XX-XX-XXX-XXX.areacode.compute.amazonaws.com [IP] port 22. debug1: Connection established. debug1: identity file file.pem type -1 debug1: identity file file.pem-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2 debug1: match: OpenSSH_6.2 pat OpenSSH* debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr [email protected] none debug1: kex: client->server aes128-ctr [email protected] none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA fingerprint debug1: Host 'ec2-XX-XX-XXX-XXX.ap-areacode.compute.amazonaws.com' is known and matches the RSA host key. debug1: Found key in /Users/user/.ssh/known_hosts:11 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: file.pem debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. Permission denied (publickey).
Im trying to ssh into amazon linux ec2 instance from my mac terminal. I followed these instructions: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
But I get
Permission denied (publickey)
My security settings allow my public ip to ssh.
It initially succeeded in:
Permanently added 'ec2-XX-XX-XXX-XXX.areacode.compute.amazonaws.com,YY.YY.YYY.YYY' (RSA) to the list of known hosts. $ ssh -i ec2vb.pem [email protected] Permission denied (publickey). $ ssh -i -v /path/to/ec2/file.pem [email protected] Warning: Identity file -v not accessible: No such file or directory. ssh: Could not resolve hostname /Developer/folder/ec2/file.pem: nodename nor servname provided, or not known
I also tried updating permission to
chmod key 600
and copying my key to user.ssh/config
folder?-
Admin over 9 yearsYou need to flip the
-i
and-v
flags. The path to the ssh key needs to follow the-i
flag immediately. -
Admin over 9 yearsthanks @Gene i now get more debugging info. I also noticed that when i originally downloaded the pem file, i named it as
my.key.pem
but it downloaded asmykey.pem
and shows asmy.key.pem
on aws console. anyhow, i tried renaming it too and still get same result. -
Admin over 9 yearsPlease do an
ls -ld ~/.ssh
andls -la .ssh/file.pem
. I'm wondering if the permissions are incorrect. -
Admin over 9 yearsadded permissions results to question update
-
Admin over 9 yearsYour name is in the comment as well. You'll want to remove it there too. Also
~/.ssh/config
should be a file, not a directory. OpenSSH expects it to be a file. Also, your pem file has extended attributes on it. That will need to be removed. Runxattr -l
against it. Whatever the attribute is you can remove it with thexattr -d <attr_name> file.pem
. It's probable the attribute for where it was downloaded from so this might work:xattr -d com.apple.metadata:kMDItemWhereFroms file.pem
-
Admin over 9 yearsi created an empty config file in .ssh, what is supposed to be in it? (there was none by default). i removed the apple and google chrome metadata on the local pem file. There is also: com.apple.quarantine: %%;Google Chrome;%%
-
Admin over 9 yearsHere is a helpful page that covers the ~/.ssh/config file.
-
-
jskye over 9 yearsjust tried this again. exactly how youve explained. I still get
Permission Denied (public key)
-
jskye over 9 yearsi think i might try DigitalOcean. thanks for your help though.
-
jskye over 9 yearsi was able to SFTP like this
https://www.youtube.com/watch?v=e9BDvg42-JI
but still cant SSH -
jskye over 9 yearsalso reproduced this on a new instance with same result
-
jskye over 9 yearsive moved to DigitalOcean for now but thanks for this info