[英]EC2 ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
I got this permission denied problem when I want to ssh
to my ec2
host.当我想
ssh
到我的ec2
主机时,我遇到了这个权限被拒绝的问题。 I tried existing solution chmod 600 "My.pem"
but still didn't work.我尝试了现有的解决方案
chmod 600 "My.pem"
但仍然没有用。 Here is my debug information:这是我的调试信息:
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 54.223.47.74 [54.223.47.74] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file My.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file My.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to 54.223.47.74:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:tfjxcE5kePSv1cJK7SWBp/56kgm2DQkyPLSLZ4d73Io
debug1: Host '54.223.47.74' is known and matches the ECDSA host key.
debug1: Found key in /Users/tan/.ssh/known_hosts:24
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: My.pem
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
I resolved this issue in my centos machine by using command:我使用以下命令在我的 centos 机器上解决了这个问题:
ssh -i <Your.pem> ec2-user@<YourServerIP>
It was about userName which was ec2-user
in my case.这是关于userName ,在我的情况下是
ec2-user
。
Referenced From: AMAZONTroubleshooting引用自: AMAZONT疑难解答
通过连接用户centos
而不是ec2-user
。
I noticed each Linux instance launches with a default Linux system user account.我注意到每个 Linux 实例都使用默认的 Linux 系统用户帐户启动。 This might be different from
ec2-user
, depending on your instance.这可能与
ec2-user
不同,具体取决于您的实例。 You log in using following command where DefaultUserName
stands for a username from the quote below.您使用以下命令登录,其中
DefaultUserName
代表下面引用中的用户名。
ssh -i <Your.pem> <DefaultUserName>@<YourPublicServerIP>
Each Linux instance launches with a default Linux system user account.
每个 Linux 实例都使用默认的 Linux 系统用户帐户启动。 The default user name is determined by the AMI that was specified when you launched the instance.
默认用户名由启动实例时指定的 AMI 确定。
- For Amazon Linux 2 or the Amazon Linux AMI, the user name is ec2-user .
对于Amazon Linux 2或 Amazon Linux AMI,用户名为ec2-user 。
- For a CentOS AMI, the user name is centos .
对于CentOS AMI,用户名为centos 。
- For a Debian AMI, the user name is admin .
对于Debian AMI,用户名为admin 。
- For a Fedora AMI, the user name is ec2-user or fedora .
对于Fedora AMI,用户名为ec2-user或fedora 。
- For a RHEL AMI, the user name is ec2-user or root .
对于RHEL AMI,用户名为ec2-user或root 。
- For a SUSE AMI, the user name is ec2-user or root .
对于SUSE AMI,用户名为ec2-user或root 。
- For an Ubuntu AMI, the user name is ubuntu .
对于Ubuntu AMI,用户名为ubuntu 。
- Otherwise, if ec2-user and root don't work, check with the AMI provider.
否则,如果 ec2-user 和 root 不起作用,请与 AMI 提供商联系。
You can find default usernames of ect2 instances here: https://alestic.com/2014/01/ec2-ssh-username/您可以在此处找到 ect2 实例的默认用户名: https ://alestic.com/2014/01/ec2-ssh-username/
But in case you want to find the username of your instance: click on the Connect button to see the default username.但如果您想查找实例的用户名:单击“连接”按钮以查看默认用户名。
After finding the username, run this command, to ensure your key is not publicly viewable.找到用户名后,运行此命令,以确保您的密钥不可公开查看。
chmod 400 <private-key-file.pem> chmod 400 <private-key-file.pem>
Then Connect to your instance using its Public DNS or IP:然后使用其公共 DNS 或 IP 连接到您的实例:
ssh -i <private-key-file.pem> ec2-user@ ssh -i <private-key-file.pem> ec2-user@
将用户添加到/etc/sshd_special_user
Recently I went through this issue, Accidently I have changed Home permission using, chmod -R g+rw .
最近我遇到了这个问题,不小心我使用
chmod -R g+rw .
更改了 Home 权限chmod -R g+rw .
it changed .ssh
folder permission.它更改了
.ssh
文件夹权限。
Do below permission changes,执行以下权限更改,
[ec2-user ~]$ chmod 600 mount_point/home/ec2-user/.ssh/authorized_keys [ec2-user ~]$ chmod 600 mount_point/home/ec2-user/.ssh/authorized_keys
[ec2-user ~]$ chmod 700 mount_point/home/ec2-user/.ssh [ec2-user ~]$ chmod 700 mount_point/home/ec2-user/.ssh
[ec2-user ~]$ chmod 700 mount_point/home/ec2-user [ec2-user ~]$ chmod 700 mount_point/home/ec2-user
Unmount your Source Disk from Temp Instance从临时实例卸载源磁盘
Attach it back to source Machine将其连接回源机器
Now Use same command to login,现在使用相同的命令登录,
ssh -i FileName.pem username@MachineIP ssh -i 文件名.pem 用户名@MachineIP
For More Details see this AWS Trouble Shooting Docs有关更多详细信息,请参阅此AWS 故障排除文档
Check if you are in the same directory where your key is there.检查您是否在您的密钥所在的同一目录中。 I had the same problem and figured out that it was the wrong directory form where I tried to connect
我遇到了同样的问题,并发现这是我尝试连接的错误目录形式
cd .ssh
rm authorized_keys
file or edit and remove the saved key for the machine you are trying to access.文件或编辑并删除您尝试访问的机器的已保存密钥。
Change permissions on the key file with chmod 400 keyname
(make sure keyname
matches exactly as you have it on Amazon).使用
chmod 400 keyname
更改密钥文件的权限(确保keyname
与您在 Amazon 上拥有的完全匹配)。
Try again with ec2-user@IPaddress -i keypair.pem
使用
ec2-user@IPaddress -i keypair.pem
再试一次
Make sure you are in the same directory where you have your .pem file.确保您位于 .pem 文件所在的同一目录中。
use command, chmod 0400 example.pem使用命令,chmod 0400 example.pem
then use command, ssh -i example.pem ec2-user@YOUR-IP然后使用命令,ssh -i example.pem ec2-user@YOUR-IP
Make sure the ssh
command specifies the ec2 user:确保
ssh
命令指定了 ec2 用户:
# ec2 user is missing
ssh -i <identity_file.pem> <hostname>
# ec2 user is specified
ssh -i <identity_file.pem> ec2-user@<hostname>
Apart from the username issue mentioned here, it can very well be an issue with.除了这里提到的用户名问题,它很可能是一个问题。
For me it was the public key mismatch.对我来说,这是公钥不匹配。 and the is how I resolved it.
这就是我解决它的方法。 I am on Mac which comes with an ssh-client.
我使用的是带有 ssh 客户端的 Mac。
You can get your local public key from your .pem file by running the following command:您可以通过运行以下命令从 .pem 文件中获取本地公钥:
ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem
On your instance navigate to your authorized_keys file which will typically be found here:在您的实例上,导航到您的 authorized_keys 文件,该文件通常位于此处:
/home/username/.ssh/authorized_keys
Add your public key to this file.将您的公钥添加到此文件中。 Save and Done.
保存并完成。 That should do it.
那应该这样做。
Just a little context for why I ran into the issue.只是我为什么遇到这个问题的一点背景。 I had to create a new .pem file because I lost the one I downloaded when I launched the instance.
我必须创建一个新的 .pem 文件,因为我丢失了启动实例时下载的文件。 For security reasons, this file cannot be downloaded again.
出于安全原因,此文件无法再次下载。 As a I created a new .pem file, this created a new public key with it.
因为我创建了一个新的 .pem 文件,这用它创建了一个新的公钥。 This public key needs to be update manually on the instance as the authorized_keys file is still pointing to the old public key.
这个公钥需要在实例上手动更新,因为authorized_keys 文件仍然指向旧的公钥。
There is more formal 9 step process to get this sorted as well.还有更正式的 9 步过程来进行排序。 See here.
看这里。
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replacing-lost-key-pair.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replacing-lost-key-pair.html
Well, The default user name for your EC2
instance is determined by the AMI that was specified when you launched the instance.那么,
EC2
实例的默认用户名由启动实例时指定的 AMI 确定。
For Amazon Linux 2
or the Amazon Linux AMI
, the user name is ec2-user
.对于
Amazon Linux 2
或Amazon Linux AMI
,用户名为ec2-user
。
Therefore, you will need to use ec2-user
when SSH
.因此,您需要在
SSH
时使用ec2-user
。
Afterwards, grant file permissions via chmod in Linux. (Make sure you are in the same directory where you have your.pem file)之后,在 Linux 中通过 chmod 授予文件权限。(确保您与您的 .pem 文件位于同一目录中)
use command, chmod 400 <Ur_Pem_File_Name>.pem
使用命令,
chmod 400 <Ur_Pem_File_Name>.pem
Now use command, ssh -i <Ur_Pem_File_Name>.pem ec2-user@<Public_IP_of_EC2>
现在使用命令,
ssh -i <Ur_Pem_File_Name>.pem ec2-user@<Public_IP_of_EC2>
By doing the above, I was able to SSH into my EC2 via CLI.通过执行上述操作,我能够通过 CLI 将 SSH 连接到我的 EC2。
On Mac:在 Mac 上:
cd .ssh
sudo nano know_hosts
And delete the info of the host with the problem.并删除有问题的主机信息。
Check if selinux is blocking access to the file.检查 selinux 是否阻止访问该文件。
Try the following:请尝试以下操作:
restorecon -r -vv .ssh/authorized_keys
I had same issue and resolved by -我有同样的问题并通过 -
in Window machine , Save key into Pageant See https://aws.amazon.com/es/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/在 Window 机器中,将密钥保存到 Pageant 参见https://aws.amazon.com/es/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/
and then in Putty select SSH->Auth-> Check "Allow Agent Forwarding" & put ppk file into "Private Key file for Authentication" .然后在 Putty 中选择 SSH->Auth-> 选中“Allow Agent Forwarding”并将 ppk 文件放入“Private Key file for Authentication”。
I had the same problem, and, in my case, the problem was the file "My.pem" should be created with the admin user我遇到了同样的问题,就我而言,问题是应该使用管理员用户创建文件“My.pem”
So, the solution was, first create the file "My.pem" with sudo and change the permison to 400因此,解决方案是,首先使用 sudo 创建文件“My.pem”并将权限更改为 400
$ sudo su
$ sudo vim My.pem
#paste the content
$ sudo vim chmod 400 My.pem
$ ssh -i My.pem user@host
# Login ok
I had the same issue but in my case it was because I created a new key to connect from a different device.我遇到了同样的问题,但就我而言,这是因为我创建了一个新密钥以从不同的设备进行连接。 The key pairs only get added when you create a new instance, if you want to create a new key after the instance has been created you will have to add it manually.
只有在创建新实例时才会添加密钥对,如果要在创建实例后创建新密钥,则必须手动添加。
You can follow this guide here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#identify-key-pair-specified-at-launch您可以在此处遵循本指南https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#identify-key-pair-specified-at-launch
or或者
ssh
into the AWS instance using your old key pair使用旧密钥对通过
ssh
进入 AWS 实例
cd
into the ~/.ssh
folder and cd
进入~/.ssh
文件夹和
open authorized_keys
file using nano
or whatever you like使用
nano
或任何您喜欢的方式打开authorized_keys
文件
then go to you new .pem
key pair and retrieve the public key using然后转到您新的
.pem
密钥对并使用检索公钥
ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem
copy the returned public key and paste it inside authorized_keys file below your other keys , save and exit.复制返回的公钥并将其粘贴到其他密钥下方的 authorized_keys 文件中,保存并退出。
chmod 400 my-key-pair.pem
if you haven't already chmod 400 my-key-pair.pem
如果你还没有
Then you should be all good to connect using your new key pair.然后,您应该可以使用新的密钥对进行连接。
如果您在 mac 上使用终端 (.zsh) 通过 ssh 连接 ec2,那么您必须在所有命令中将名称从 .pem 更改为 .cer,因为在 mac 上您下载的 key_pair 文件的扩展名为 .cer,否则,您可以遵循与 aws 上给出的命令相同的命令。
In addition to harneet singh's answer you can also change your ec2 instance user name from "ec2-user".除了 harneet singh 的回答之外,您还可以将您的 ec2 实例用户名从“ec2-user”更改。 navigate to EC2 instance->connect-> ec2InstanceConnect->user-name.
导航到 EC2 实例-> 连接-> ec2InstanceConnect-> 用户名。
A good solution for this: https://bobbyhadz.com/blog/aws-ssh-permission-denied-publickey In the AWS EC2 console, click on the checkbox next to your instance's name, then click on Actions and select Connect.一个很好的解决方案: https://bobbyhadz.com/blog/aws-ssh-permission-denied-publickey在 AWS EC2 控制台中,单击实例名称旁边的复选框,然后单击 Actions 和 select Connect。 Click on the SSH client tab and copy the ssh command example.
单击 SSH 客户端选项卡并复制 ssh 命令示例。
Soluction in terminal for error在终端解决错误
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).权限被拒绝(publickey、gssapi-keyex、gssapi-with-mic、password)。
ssh-keygen -f " ~/.ssh/known_hosts" -R xx.xx.xxx.xxx
xx - ip host xx - ip 主机
You have to run below commands for ssh to your ec2 host您必须在以下命令中运行 ssh 到您的 ec2 主机
ssh -i <user.pem> ec2-user@<public ip>
if have如果有
WARNING: UNPROTECTED PRIVATE KEY FILE!
Permissions 0644 for 'user.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
then run chmod 0400 <user.pem>
然后运行
chmod 0400 <user.pem>
after run above command run ssh -i <user.pem> ec2-user@<public ip>
运行以上命令后运行
ssh -i <user.pem> ec2-user@<public ip>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.