EC2 ssh 权限被拒绝（公钥、gssapi-keyex、gssapi-with-mic）

Question

I got this permission denied problem when I want to ssh to my ec2 host. I tried existing solution chmod 600 "My.pem" but still didn't work. Here is my debug information:

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 54.223.47.74 [54.223.47.74] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file My.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file My.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to 54.223.47.74:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:tfjxcE5kePSv1cJK7SWBp/56kgm2DQkyPLSLZ4d73Io
debug1: Host '54.223.47.74' is known and matches the ECDSA host key.
debug1: Found key in /Users/tan/.ssh/known_hosts:24
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: My.pem
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Answer 1

I resolved this issue in my centos machine by using command:

ssh -i <Your.pem> ec2-user@<YourServerIP>

It was about userName which was ec2-user in my case.

Referenced From: AMAZONTroubleshooting

Answer 2

通过连接用户centos而不是ec2-user 。

Answer 3

I noticed each Linux instance launches with a default Linux system user account. This might be different from ec2-user , depending on your instance. You log in using following command where DefaultUserName stands for a username from the quote below.

ssh -i <Your.pem> <DefaultUserName>@<YourPublicServerIP>

Each Linux instance launches with a default Linux system user account. The default user name is determined by the AMI that was specified when you launched the instance.

• For Amazon Linux 2 or the Amazon Linux AMI, the user name is ec2-user .
• For a CentOS AMI, the user name is centos .
• For a Debian AMI, the user name is admin .
• For a Fedora AMI, the user name is ec2-user or fedora .
• For a RHEL AMI, the user name is ec2-user or root .
• For a SUSE AMI, the user name is ec2-user or root .
• For an Ubuntu AMI, the user name is ubuntu .
• Otherwise, if ec2-user and root don't work, check with the AMI provider.

Answer 4

You can find default usernames of ect2 instances here: https://alestic.com/2014/01/ec2-ssh-username/

But in case you want to find the username of your instance: click on the Connect button to see the default username.

After finding the username, run this command, to ensure your key is not publicly viewable.

chmod 400 <private-key-file.pem>

Then Connect to your instance using its Public DNS or IP:

ssh -i <private-key-file.pem> ec2-user@

Answer 5

将用户添加到/etc/sshd_special_user

Answer 6

Recently I went through this issue, Accidently I have changed Home permission using, chmod -R g+rw . it changed .ssh folder permission.

1. If nothing work out, Create Temp Instance on Amazon-EC2
2. Detach Your Server storage (Before that Down your source Machine)
3. Mount it as secondary storage in Temp Instance

4. Do below permission changes,

   [ec2-user ~]$ chmod 600 mount_point/home/ec2-user/.ssh/authorized_keys

   [ec2-user ~]$ chmod 700 mount_point/home/ec2-user/.ssh

   [ec2-user ~]$ chmod 700 mount_point/home/ec2-user

5. Unmount your Source Disk from Temp Instance

6. Attach it back to source Machine

7. Now Use same command to login,

   ssh -i FileName.pem username@MachineIP

For More Details see this AWS Trouble Shooting Docs

Answer 7

Check if you are in the same directory where your key is there. I had the same problem and figured out that it was the wrong directory form where I tried to connect

Answer 8

cd .ssh
rm authorized_keys

file or edit and remove the saved key for the machine you are trying to access.

Change permissions on the key file with chmod 400 keyname (make sure keyname matches exactly as you have it on Amazon).

Try again with ec2-user@IPaddress -i keypair.pem

Answer 9

Make sure you are in the same directory where you have your .pem file.

use command, chmod 0400 example.pem

then use command, ssh -i example.pem ec2-user@YOUR-IP

Answer 10

Make sure the ssh command specifies the ec2 user:

# ec2 user is missing
ssh -i <identity_file.pem> <hostname>

# ec2 user is specified
ssh -i <identity_file.pem> ec2-user@<hostname>

Answer 11

Apart from the username issue mentioned here, it can very well be an issue with.

• permissions on the instance
• public key on the instance not matching the public key you have available locally in your .pem file. The following link Method 1 resolved it for me. https://aws.amazon.com/premiumsupport/knowledge-center/ec2-linux-fix-permission-denied-errors/

For me it was the public key mismatch. and the is how I resolved it. I am on Mac which comes with an ssh-client.

You can get your local public key from your .pem file by running the following command:

ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem

On your instance navigate to your authorized_keys file which will typically be found here:

/home/username/.ssh/authorized_keys

Add your public key to this file. Save and Done. That should do it.

Just a little context for why I ran into the issue. I had to create a new .pem file because I lost the one I downloaded when I launched the instance. For security reasons, this file cannot be downloaded again. As a I created a new .pem file, this created a new public key with it. This public key needs to be update manually on the instance as the authorized_keys file is still pointing to the old public key.

There is more formal 9 step process to get this sorted as well. See here.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replacing-lost-key-pair.html

Answer 12

Well, The default user name for your EC2 instance is determined by the AMI that was specified when you launched the instance.

For Amazon Linux 2 or the Amazon Linux AMI , the user name is ec2-user .

Therefore, you will need to use ec2-user when SSH .

Afterwards, grant file permissions via chmod in Linux. (Make sure you are in the same directory where you have your.pem file)

use command, chmod 400 <Ur_Pem_File_Name>.pem

Now use command, ssh -i <Ur_Pem_File_Name>.pem ec2-user@<Public_IP_of_EC2>

By doing the above, I was able to SSH into my EC2 via CLI.

Answer 13

On Mac:

cd .ssh
sudo nano know_hosts

And delete the info of the host with the problem.

Answer 14

Check if selinux is blocking access to the file.

Try the following:

restorecon -r -vv .ssh/authorized_keys

Answer 15

I had same issue and resolved by -

1. in Window machine , Save key into Pageant See https://aws.amazon.com/es/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/

2. and then in Putty select SSH->Auth-> Check "Allow Agent Forwarding" & put ppk file into "Private Key file for Authentication" .

Answer 16

I had the same problem, and, in my case, the problem was the file "My.pem" should be created with the admin user

So, the solution was, first create the file "My.pem" with sudo and change the permison to 400

$ sudo su
$ sudo vim My.pem
  #paste the content

$ sudo vim chmod 400 My.pem

$ ssh -i My.pem user@host
  # Login ok

Answer 17

I had the same issue but in my case it was because I created a new key to connect from a different device. The key pairs only get added when you create a new instance, if you want to create a new key after the instance has been created you will have to add it manually.

You can follow this guide here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#identify-key-pair-specified-at-launch

or

1. ssh into the AWS instance using your old key pair

2. cd into the ~/.ssh folder and

3. open authorized_keys file using nano or whatever you like

4. then go to you new .pem key pair and retrieve the public key using

   ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem

5. copy the returned public key and paste it inside authorized_keys file below your other keys , save and exit.

6. chmod 400 my-key-pair.pem if you haven't already

7. Then you should be all good to connect using your new key pair.

Answer 18

如果您在 mac 上使用终端 (.zsh) 通过 ssh 连接 ec2，那么您必须在所有命令中将名称从 .pem 更改为 .cer，因为在 mac 上您下载的 key_pair 文件的扩展名为 .cer，否则，您可以遵循与 aws 上给出的命令相同的命令。

Answer 19

In addition to harneet singh's answer you can also change your ec2 instance user name from "ec2-user". navigate to EC2 instance->connect-> ec2InstanceConnect->user-name.

Answer 20

A good solution for this: https://bobbyhadz.com/blog/aws-ssh-permission-denied-publickey In the AWS EC2 console, click on the checkbox next to your instance's name, then click on Actions and select Connect. Click on the SSH client tab and copy the ssh command example.

Answer 21

Soluction in terminal for error

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

ssh-keygen -f " ~/.ssh/known_hosts" -R xx.xx.xxx.xxx

xx - ip host

http://pastebin.com/YpqGSJ2E

Answer 22

You have to run below commands for ssh to your ec2 host

ssh -i <user.pem> ec2-user@<public ip>

if have

WARNING: UNPROTECTED PRIVATE KEY FILE!          
Permissions 0644 for 'user.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

then run chmod 0400 <user.pem>

after run above command run ssh -i <user.pem> ec2-user@<public ip>