Stack Exchange sign up log in careers 2.

0 Server Fault Questions Tags Tour Users Ask Question Tell me more Server Fault is a question and answer site for professional system and network administrators. It's 100% free, no registration required. Why do I get Permission denied (publickey) when trying to SSH from local Ubuntu to a Amazon EC2 server? up vote 97 down vote favorite 31 I have an instance of an application running in the cloud on Amazon EC2 instance , and I need to connect it from my local Ubuntu. It works fine on one of local u buntu and also laptop. I got message "Permission denied (publickey)" when trying to access SSH to EC2 on another local Ubuntu. It's so strange to me. I'm thinking some sort of problems with security settings on the Amazon EC2 whic h has limited IPs access to one instance or certificate may need to regenerate. Does anyone know a solution? linux ssh amazon-ec2 share|improve this question edited Jul 13 '09 at 8:38 asked Jul 13 '09 at 7:38 Vorleak Chy 603167 8 "It used to work before" -- before what?

womble Jul 13 '09 at 8:13

I have an Elastic Beanstalk EC2 instance. As at Aug-2013 the solution was to acc ess the instance as the ec2-user user which made the Permission Denied (publicKe y) error go away. Viz: ssh -i ./mike-key-pairoregon.pem ec2-user@ec2-some-addres s.us-west-2.compute.amazonaws.com. Of course you have to all the other stuff as per stackoverflow.com/questions/4742478/ mikemay Sep 1 at 7:09 add comment 13 Answers activeoldestvotes up vote 71 down vote accepted The first thing to do in this situation is to use the -v option to ssh, so you c an see what types of authentication is tried and what the result is. Does that h elp enlighten the situation? In your update to your question, you mention "on another local Ubuntu". Have you copied over the ssh private key to the other machine?

share|improve this answer edited Jul 13 '09 at 8:04 answered Jul 13 '09 at 7:44 Greg Hewgill 3,9081521 @Greg how do I copy ssh private key from working PC to another PC on Ubuntu? Vo rleak Chy Jul 14 '09 at 1:41 1 I've copied over the ssh private key to the other machine as @Greg suggested. It works now. Thanks! Vorleak Chy Jul 16 '09 at 2:03 2 FYI you can use the -i flag to point to the path of the keys without installing them Jorge Vargas Nov 3 '10 at 23:35 12 In my case, I was using a bitnami .ami and didn't realise that you need to log i n as the user called bitnami, like: ssh -i <keyfile> bitname@<ec2-address>. Unfo rtunately the -v option didn't help me find this, but it's still very useful to check! Matt Connolly Jan 20 '12 at 4:44 3 well, in my case i was using the wrong username. was using "ubuntu" instead of " bitnami". like this: ssh -i key.pem bitnami@hostaddress Lucas Pottersky Apr 15 '12 at 21:44 show 1 more comment up vote 29 down vote As it hasn't been explicitly mentioned, sshd is by default very strict on premis sions on for the authorized_keys files. So, if authorized_keys is writable for a nybody other than the user or can be made writable by anybody other than the use r, it'll refuse to authenticate (unless sshd is configured with StrictModes no) What I mean by "can be made writable" is that if any of the parent directories a re writable for anybody other than the user, users permitted to modify those dir ectories can start modifying permissions in such a way that they can modify/repl ace authorized_keys. This will not show up with ssh -v, it'll show up in the logs emitted by sshd (ty pically put in /var/log/secure or /var/log/auth.log, depends on distro and syslo gd configuration). From man sshd(8): ~/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described above. The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unauthorized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to no . share|improve this answer edited Dec 6 '12 at 19:15

answered Jan 5 '11 at 14:38 Kjetil Joergensen 2,6041311 3 That "can be made writable" bit is what got me wmarbut Aug 14 '12 at 3:20 3 FWIW the correct permissions for the key files are 600 (see here) Matt Lyons No v 28 '12 at 4:22 Yep, my .authorized_keys file was writeable by group so it refused to accept. a ditya menon Aug 7 at 8:45 add comment up vote 22 down vote I received this error, because I forgot to add -l option. My local username was not the same as on the remote system. This does not answer your question, but I got here looking for an answer to my p roblem. share|improve this answer edited Mar 1 at 15:37 htoip 1095 answered Apr 1 '10 at 21:51 pkmk 32123 1 ... this solved my particular problem. :) thanks for the reminder. Ian Jun 30 ' 10 at 19:35 10 ssh host -l user is the same as ssh user@host, right? Znarkus Feb 1 '11 at 14:0 8 1 @Znarkus yes, it is the same. Cawas Apr 19 '11 at 16:53 Yup, this solved my problem causing the "Permission denied (publickey)" error as well. Brooks Moses Jun 2 '11 at 21:30 This was the problem for me. I was expecting user "root" to work, but I was usin g an Ubuntu EC2 image which had the default user "ubuntu". Cerin Jun 14 at 19:5 4 add comment up vote 10 down vote I got this message on a new instance based off the Ubuntu AMI. I was using the i option to provide the PEM but it was still showing the "Permission denied (pub lickey)". My problem was that I wasn't using the correct user. By running the ssh with ubu ntu@ec2... it worked like normal. share|improve this answer answered Nov 17 '10 at 16:29

user60587 Yeah... I was running the command with sudo, which is why it wasn't working. th addeusmt Sep 17 '11 at 12:56 add comment up vote 9 down vote Something that's easier to read than ssh -i (in my opinion of course), is tail f /var/log/auth.log. That should be run on the server you are trying to connect to, while attempting to connect. It will show errors in plain text. This helped me solve my issue: User [username] from xx.yy.com not allowed because none of user's groups are lis ted in AllowGroups share|improve this answer edited Oct 4 '12 at 6:20 isomorphismes 1168 answered Feb 1 '11 at 14:07 Znarkus 408513 add comment up vote 6 down vote Check your */etc/ssh/sshd_config* file. There, find the line which says PasswordAuthentication no That line needs to be modified to say yes instead of no. Also, restart the sshd server afterwards. sudo /etc/init.d/ssh restart share|improve this answer answered Dec 10 '10 at 6:15 Sudipta Chatterjee 18124 That would make the server less secure. Znarkus Feb 1 '11 at 13:45

This was the problem I had: I wanted to set up an account for another user, auth enticating with just a password. I also wanted to be able to log in as myself fr om places where I didn't have my private key. Daniel Apr 10 '11 at 22:28 add comment up vote 4 down vote Perhaps not relevant to the current poster, but might help others who find this when searching for answers to similar situations. Instead of letting Amazon gene rate the ssh keypair, I recommend uploading your own, standard, default public s sh key to Amazon and specifying that when you run an EC2 instance. This lets you drop the "-i" type syntax in ssh, use rsync with standard options, and also lets you use the same ssh key across all EC2 regions.

I wrote an article about this process here: Uploading Personal ssh Keys to Amazon EC2 http://alestic.com/2010/10/ec2-ssh-keys share|improve this answer answered Sep 29 '11 at 21:15 Eric Hammond 6,516937 +1 Looked up this question exactly for this reason. :36 John Riselvato May 30 at 18

i see this error in following your article. regions=$(ec2-describe-regions | cut -f2) Required option '-K, --private-key KEY' missing (-h for usage) KashifAli Sep 1 at 14:01 @KashifAli You'll want to set up the EC2 API command line tool credentials so yo u don't always have to pass the credentials on every command line. Eric Hammond Sep 5 at 7:14 add comment up vote 1 down vote Greg's answer explains how to trouble shoot it better, however the actual issue is that you have an ssh key set on one side of the transaction (the client), whi ch is attempting public key authentication rather than password based authentica tion. As you don't have the corresponding public key on the EC2 instance, this w on't work. share|improve this answer answered Jul 13 '09 at 8:11 Cian 4,51811232 2 How to you resolve the issue? Julien Grenier May 15 '11 at 1:49 add comment up vote 1 down vote I had the same problem, and after trying tons of solutions which failed to work i opened the SSH port on my router's firewall (my router's firewall control pane l is a mess, so it's hard to tell what's going on). Anyway, that fixed it :) Super bloody annoying that the error you get is Permission Denied, implying that there was some kind of connection made, grr. share|improve this answer answered Jun 29 '11 at 18:16 chichilatte 111 add comment up vote 1 down vote Strangely, my problem turned out to be that the server had been restarted and it was issued a new DNS name. I was using the old DNS name. I know this sounds stu

pid but it took me a while to figure this out. share|improve this answer answered Aug 8 '11 at 21:00 Patrick Collins 111 Thank you! This was exactly my problem. I didn't realize the DNS name changed wh en you restart an instance. Tim Swast Jan 2 '12 at 3:36 add comment up vote 1 down vote I was having the same problem even though I was supposedly following all the ste ps including $ ec2-authorize default -p 22 However, I had started my instance in us-west-1 region. So the above command sho uld also specify that. $ ec2-authorize default -p 22 --region us-west-1 After this command I was able to ssh into the instance. I spent a little while b efore I realized the issue and hope this post helps others. share|improve this answer edited Jun 27 '12 at 3:32 mgorven 16.5k31649 answered Mar 15 '11 at 22:45 Ajit Verma 111 add comment up vote 1 down vote If you're using CentOS 5, you may want to set StrictModes no in /etc/ssh/sshd_co nfig. I'm sharing /home directory using NIS/NFS, and I set all the permissions c orrectly, but it always prompted me with the password. After I set StrictModes n o, the problem disappeared! share|improve this answer edited Nov 18 '12 at 5:00 Scott Pack 10.6k63065 answered Jul 10 '11 at 4:58 uichin 111 add comment up vote 0 down vote If you're trying to connect to a CyanogenMod phone running Dropbear, you should run the following lines to make sure everything is all permission'd right: chmod 600 /data/dropbear/.ssh/authorized_keys

or chmod 700 /data/dropbear/.ssh/authorized_keys # In case of MacOS X 10.6-10.8 and chmod 755 /data/dropbear/ /data/dropbear/.ssh This fixed it for me, otherwise nothing can connect. share|improve this answer edited Aug 21 '12 at 11:46