This is probably a stupidly simple question to some :)
I've created a new linux instance on Amazon EC2, and as part of that downloaded the .pem file to allow me to SSH in.
When I tried to ssh with:
ssh -i myfile.pem <public dns>
I got:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'amazonec2.pem' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: amazonec2.pem
Permission denied (publickey).
Following this post I tried to chmod +600 the pem file, but now when I ssh I just get:
Permission denied (publickey).
What school-boy error am I making here? The .pem file is in my home folder (in osx). It's permissions look like this:
-rw-------@ 1 mattroberts staff 1696 19 Nov 11:20 amazonec2.pem
This question is related to
amazon-web-services
authentication
ssh
amazon-ec2
permissions
The answer is
I have seen two reasons behind this issue
1) access key does not have the right permission. pem keys with default permission are not allowed to make a secure connection. You just have to change the permission:
chmod 400 xyz.pem
2) Also check whether you have logged-in with proper user credentials. Otherwise, use sudo while connecting
sudo ssh -i {keyfile} ec2-user@{ip address of remote host}
You are likely using the wrong username to login:
- most Ubuntu images have a user
ubuntu - Amazon's AMI is
ec2-user - most Debian images have either
rootoradmin
To login, you need to adjust your ssh command:
ssh -l USERNAME_HERE -i .ssh/yourkey.pem public-ec2-host
HTH
It is just a permission issue with your aws pem key.
Just change the permission of pem key to 400 using below command.
chmod 400 pemkeyname.pem
If you don't have permission to change the permission of a file you can use sudo like below command.
sudo chmod 400 pemkeyname.pem
I hope this should work fine.
Alternative log-in using PuTTY. Its good but needs a few steps.
- Get your .pem that was generated when you first made the EC2 instance.
- Convert the .pem file .ppk using PuttyGen since PuTTY does not read .pem.
- Open PuTTY and enter your Host Name which is your instance username + Public DNS (Ex. [email protected]). Not your AWS account username.
- Then navigate to Connection > SSH > Auth. Then add your .ppk file. Click on Browse where it says "Private key file for authentication".
- Click Open and you should be able to immediately establish connection.
Im using PuTTY 0.66 in Windows.
You should also check if your .pem file is not corrupted. I spent about an hour scratching my head and decided to check using this line
openssl rsa -check -in test.pem -noout
If it returns "RSA key ok" then you are good. If not, make sure you have the right file and or copied it correctly for whatever reason.
Just change the permission of pem file to 0600 allowing only for the allowed user and it will work like charm.
sudo chmod 0600 myfile.pem
And then try to ssh it will work perfectly.
ssh -i myfile.pem <<ssh_user>>@<<server>>
What fixed this for me was to move the .pem file within the apps directory. Soo say fooapp is the name of my app. I placed it directly in there.
I know this is very late to the game ... but this always works for me:
step 1
ssh-add ~/.ssh/KEY_PAIR_NAME.pem
step 2, simply ssh in :)
ssh user_name@<instance public dns/ip>
e.g.
ssh [email protected]
hope this helps someone.
Well, looking at your post description I feel there were 2 mistakes done by you:-
Set correct permissions for the private key. Below command should help you to set correct file permision.
chmod 0600 mykey.pemWrong ec2 user you are trying to login.
Looking at your debug log I think you have spawned an Amazon linux instance. The default user for that instance type is
ec2-user. If the instance would have been ubuntu then your default user would have beenubuntu.ssh -i privatekey.pem default_ssh_user@server_ip
Note: For an Amazon Linux AMI, the default user name is ec2-user. For a Centos AMI, the default user name is centos. For a Debian AMI, the default user name is admin or root. For a Fedora AMI, the default user name is ec2-user or fedora. For a RHEL AMI, the default user name is ec2-user or root. For a SUSE AMI, the default user name is ec2-user or root. For an Ubuntu AMI, the default user name is ubuntu. Otherwise, if ec2-user and root don't work, check with the AMI provider.
source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
Change permission for the key file with :
chmod 400 key-file-name.pem
See AWS documentation for connecting to the instance:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#EC2_ConnectToInstance_Linux
Please ignore this answer if it is irrelevant for you, but from my experience I've seen people having an issue with Permission denied (publickey) because they simply pasted their public key (on a target machine) without the first letter!
This happens when using vim to edit (paste) the key. Since vim by default opens in command mode (not in an insert mode), pasting the key without switching to an insert mode (i.e. i) will result in skipping the first s letter, e.g. instead of
ssh-rsa <key>
you end up pasting
sh-rsa <key>
So before trying other solutions, see if you've pasted your key correctly! i.e.
cat ~/.ssh/id_rsa.pub
Only if you're certain, perform the next steps; trying to ssh in a verbose mode (i.e. flag -v) might point you to the actual issue:
ssh -v -i <private_key> <name>@<ip> -p <port>
As a side note, as it has been already mentioned here by others, in majority of cases starting an empty ssh agent (program that keeps your keys in memory) and adding your key should resolve the issue:
ssh-agent bash
ssh-add <private_key>
You can find the answer from the ASW guide. 400 protects it by making it read only and only for the owner.
chmod 400 mykey.pem
By default whenever you download the keyfile it come with 644 permissions.
So you need to change the permission each time you download new keys.
chmod 400 my_file.pem
Do a chmod 400 yourkeyfile.pem If your instance is Amazon linux then use ssh -i yourkeyfile.pem ec2-user@ip for ubuntu ssh -i yourkeyfile.pem ubuntu@ip for centos ssh -i yourkeyfile.pem centos@ip
.400 protects it by making it read only and only for the owner.
You can find the answer from the ASW guide.
chmod 400 yourPrivateKey.pem
ssh -i /.pem user@host-machine-IP
I think it's because either you have entered wrong credentials or, you are using a public key rather than private key or, your port permissions are open for ALL to ssh. This is bad for Amazon.
BY default permission are not allowing the pem key. You just have to change the permission:
chmod 400 xyz.pem
and if ubuntu instance then connect using:
ssh -i xyz.pem [email protected]
In addition to the other answers, here is what I did in order for this to work:
- Copy the key to .ssh folder if you still hadn't:
cp key.pem ~/.ssh/key.pem
- Give the proper permissions to the key
chmod 400 ~/.ssh/key.pem
- Start ssh-agent (Thanks to https://stackoverflow.com/a/17848593 )
eval `ssh-agent -s`
ssh-add
- Then, add the key
ssh-add ~/.ssh/key.pem
Now you should be able to ssh EC2 (:
There can be three reasons behind this error.
- Your are using a wrong key.
- Your key doesn't have the correct permissions. You need to chmod it to 400.
- You are using the wrong user. Ubuntu images have a user ubuntu, Amazon's AMI is ec2-user and debian images have either root or admin
Key file should not be publicly viewable so use permission 400
chmod 400 keyfile.pem
If above command shows permission error use
sudo chmod 400 keyfile.pem
Now ssh into the ec2 machine, if you still face the issue, use ec2-user
ssh -i keyfile.pem [email protected]
What did it for me is editing the default security group to allow for inbound TCP traffic at port 22:
Take a look at this article. You do not use the public DNS but rather the form
ssh -i your.pem [email protected]
where the name is visible on your AMI panel
Following are the simple steps for Linux user to connect with the server using .pem file:
Step1: To to the location of pem file and copy it to home .ssh location.
cp example.pem ~/.ssh/example.pem
Step2: Change the permission
chmod 400 ~/.ssh/example.pem
Step3: Run the following command
ssh -i ~/.ssh/example.pem [email protected]
As this command is too long so you sould create the alias of this using following commands:
vim ~/.bashrc
Write the same command in the following manner at the last.
alias sshConnect='ssh -i ~/.ssh/example.pem [email protected]'
Now restart your system and use sshConnect to connect with your server.
I know this question has been answered already but for those that have tried them all and you are still getting the annoying "Permission denied (publickey)". Try running your command with SUDO. Of course this is a temporary solution and you should set permissions correctly but at least that will let you identify that your current user is not running with the privileges you need (as you assumed)
sudo ssh -i amazonec2.pem ec2-xxx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com
Once you do this you'll get a message like this:
Please login as the user "ec2-user" rather than the user "root"
Which is also sparsely documented. In that case just do this:
sudo ssh -i amazonec2.pem ec2-xxx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com -l ec2-user
And you'll get the glorious:
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
In Mac terminal, doing "chmod 400 xyz.pem" did not help me, it kept saying permission denied. For ubuntu users I would suggest
ssh-add xyz.pemssh -i xyz.pem [email protected](notice the user is ubuntu)
SSH keys and file permission best practices:
- .ssh directory - 0700 (only by owner)
- private key/.pem file - 0400 (read only by owner)
public key/.pub file - 0600 (read & write only by owner)
chmod XXXX file/directory
The issue for me was that my .pem file was in one of my NTFS partitions. I moved it to my linux partition (ext4).
Gave required permissions by running:
chmod 400 my_file.pem
And it worked.
In windows,
- Right click on the pem file. Then select properties.
- Select security tab --> Click on Edit --> Remove all other user except current user
- Go back to security tab again --> Click on Advanced --> Disable inheritance
Ok man, the only thing that worked for me was:
Change permissions of the key
chmod 400 mykey.pem
Make sure to log in using ec2-user, and the correct ec2-99... address. The ec2-99 address is at the bottom of the aws console when you're logged in and seeing your instance listed
ssh -i mykey.pem [email protected]
In windows you can go to the properties of the pem file, and go to the security tab, then to advance button.
remove inheritance and all the permissions. then grant yourself the full control. after all SSL will not give you the same error again.
Checklist:
Are you using the right private key .pem file?
Are its permissions set correctly? (My Amazon-brand AMIs work with 644, but Red hat must be at least 600 or 400. Don't know about Ubuntu.)
Are you using the right username in your ssh line? Amazon-branded = "ec2-user", Red Hat = "root", Ubuntu = "ubuntu". User can be specified as "ssh -i pem usename@hostname" OR "ssh -l username -i pem hostname"
Source: Stackoverflow.com