Permission denied (publickey). SSH from local Ubuntu to Amazon EC2 server

Question

I have an instance of an application running in the cloud on an Amazon EC2 instance, and I need to connect to it from my local Ubuntu. It works fine on one local ubuntu and also laptop. I got this message, Permission denied (publickey)., when trying to SSH to EC2 from a different local Ubuntu.

I'm thinking there may be problems with security settings on the Amazon EC2, which has limited IP access to one instance; or maybe a certificate needs to regenerate.

Does anyone know a solution to the Permission denied error?

Answer 1

The first thing to do in this situation is to use the -v option to ssh, so you can see what types of authentication is tried and what the result is. Does that help enlighten the situation?

In your update to your question, you mention "on another local Ubuntu". Have you copied over the ssh private key to the other machine?

Answer 2

As it hasn't been explicitly mentioned, sshd is by default very strict on permissions on for the authorized_keys files. So, if authorized_keys is writable for anybody other than the user or can be made writable by anybody other than the user, it'll refuse to authenticate (unless sshd is configured with StrictModes no)

What I mean by "can be made writable" is that if any of the parent directories are writable for anybody other than the user, users permitted to modify those directories can start modifying permissions in such a way that they can modify/replace authorized_keys.

Furthermore, if the /home/username/.ssh directory is not owned by the user, and thus the user has no permissions to read the key you can run into problems:

drwxr-xr-x 7 jane jane 4096 Jan 22 02:10 /home/jane
drwx------ 2 root root 4096 Jan 22 03:28 /home/jane/.ssh

Note that jane does not own the .ssh file. Fix this via

chown -R jane:jane /home/jane/.ssh

These sorts of filesystem permission issues will not show up with ssh -v, and they won't even show up in the sshd logs (!) until you set the log level to DEBUG.

• Edit /etc/ssh/sshd_config. You want a line that reads LogLevel DEBUG in there somewhere. Reload the SSH server using the mechanism provided by the distro. (service sshd reload on RHEL/CentOS/Scientific.) A graceful reload will not drop existing sessions.
• Try authenticating again.
• Work out where your auth facility logs go and read them. (IIRC, /var/log/auth.log on Debian-based distros; /var/log/secure on RHEL/CentOS/Scientific.)

Much easier to work out what's going wrong with the debug output which includes filesystem permission errors. Remember to revert the change to /etc/ssh/sshd_config when done!

Answer 3

I received this error, because I forgot to add -l option. My local username was not the same as on the remote system.

This does not answer your question, but I got here looking for an answer to my problem.

Answer 4

I got this message on a new instance based off the Ubuntu AMI. I was using the -i option to provide the PEM but it was still showing the "Permission denied (publickey)".

My problem was that I wasn't using the correct user. By running the ssh with ubuntu@ec2... it worked like normal.

Answer 5

Something that's easier to read than ssh -v (in my opinion of course), is tail -f /var/log/auth.log. That should be run on the server you are trying to connect to, while attempting to connect. It will show errors in plain text.

This helped me solve my issue:

User [username] from xx.yy.com not allowed because none of user's groups are listed in AllowGroups

Answer 6

Check your /etc/ssh/sshd_config file. There, find the line which says

PasswordAuthentication no

That line needs to be modified to say yes instead of no. Also, restart the sshd server afterwards.

sudo /etc/init.d/ssh restart

Answer 7

Perhaps not relevant to the current poster, but might help others who find this when searching for answers to similar situations. Instead of letting Amazon generate the ssh keypair, I recommend uploading your own, standard, default public ssh key to Amazon and specifying that when you run an EC2 instance.

This lets you drop the "-i" type syntax in ssh, use rsync with standard options, and also lets you use the same ssh key across all EC2 regions.

I wrote an article about this process here:

Uploading Personal ssh Keys to Amazon EC2
http://alestic.com/2010/10/ec2-ssh-keys

Answer 8

Strangely, my problem turned out to be that the server had been restarted and it was issued a new DNS name. I was using the old DNS name. I know this sounds stupid but it took me a while to figure this out.

Answer 9

If you're trying to connect to a CyanogenMod phone running Dropbear, you should run the following lines to make sure everything is all permission'd right:

chmod 600 /data/dropbear/.ssh/authorized_keys

or

chmod 700 /data/dropbear/.ssh/authorized_keys # In case of MacOS X 10.6-10.8

and

chmod 755 /data/dropbear/ /data/dropbear/.ssh

This fixed it for me, otherwise nothing can connect.

Answer 10

If you're using CentOS 5, you may want to set StrictModes no in /etc/ssh/sshd_config. I'm sharing /home directory using NIS/NFS, and I set all the permissions correctly, but it always prompted me with the password. After I set StrictModes no, the problem disappeared!

Answer 11

I was having the same problem even though I was supposedly following all the steps including

$ ec2-authorize default -p 22

However, I had started my instance in us-west-1 region. So the above command should also specify that.

$ ec2-authorize default -p 22 --region us-west-1

After this command I was able to ssh into the instance. I spent a little while before I realized the issue and hope this post helps others.

Answer 12

I had the same problem, and after trying tons of solutions which failed to work i opened the SSH port on my router's firewall (my router's firewall control panel is a mess, so it's hard to tell what's going on). Anyway, that fixed it :)

Super bloody annoying that the error you get is Permission Denied, implying that there was some kind of connection made, grr.

Answer 13

Greg's answer explains how to trouble shoot it better, however the actual issue is that you have an ssh key set on one side of the transaction (the client), which is attempting public key authentication rather than password based authentication. As you don't have the corresponding public key on the EC2 instance, this won't work.

Answer 14

TL;DR - make sure you use the correct username - ubuntu/ec2-user/etc.

I'm using a bastion-host (ec2) which is Amazon Linux OS, (ec2-user), and tried to from the bastion-host to a private-host (ec2) which is Ubuntu 18.04 OS (ubuntu)

This might sound funny since you should know the username of the machine you're SSHing to, but since I SSH to multiple machines, sometimes I make those mistakes.

Answer 15

If your .ssh dir has more than 1 key (ex: an id_rsa.pub, and an id_ed25519.pub), try ensuring you are executing ssh with the <correct_key_file>, by explicitly adding its path as an arg (and while you're at it, may as well explicitly pass <correct_username> too):

ssh -i ~/.ssh/<correct_key_file> <correct_username>@<host_server_address>

The defaults being used without explicitly specifying, may not be correct.

Answer 16

This is a rare case, but if you have selinux enabled and you are using nfs for directory with the authorized_keys (e.g. shared home directories), you'll need to either disable selinux (not recommended for security reasons, but you can temporarily disable it to see if this is causing the problem) or allow selinux to use nfs home directories. I'm not clear on the details, but this worked for me setsebool -P use_nfs_home_dirs 1

Answer 17

I've just experienced the same issue after inadvertently adding group write permissions to the users home directory.

I discovered this was the cause by running tail -f /var/log/secure on the machine and seeing the error Authentication refused: bad ownership or modes for directory /home/<username>.