I have set up both /home/ec2-user/.ssh/authorized_keys and /root/.ssh/authorized_keys to contain the public key of the private key I intend to use. This has already worked with an Ubuntu instance, but with the ubuntu user.
The issue is, whether I SSH to this instance's public DNS address and use root or ec2-user as the user in PuTTy, I get
Access denied
ec2-user#ec2-54-213-118-179.us-west-2.compute.amazonaws.com's password:
And a prompt for my password.
This all worked with my Ubuntu instance, but doesn't seem to work with my Red Hat instance.
How do I get Red Hat to properly accept my private key and not prompt me for a password?
You can try adding your private key to your running Pageant which is basically the ssh agent that does the handshake for Putty ssh sessions.
There's an example on how to use Pageant in the WinSCP page:
http://winscp.net/eng/docs/ui_pageant
I believe it's related to this bug:
https://forums.aws.amazon.com/thread.jspa?messageID=475492#
If you are using EBS can you try mounting the EBS volume on another instance and examine the problem?
Does the authorized_keys file have 600 permissions?
chmod 600 /home/ec2-user/.ssh/authorized_keys
Does the .ssh directory have 700 permissions?
chmod 700 /home/ec2-user/.ssh/
What does the file /var/log/secure say? That file will usually explain why a SSH login failed.
Related
I have built an MF container image and pushed it. I have copied the file in (Mac) ~/.ssh/id_rsa.pub to mfpf-server/usr/ssh before building the image.
I am trying to connect using the command in Mac terminal:
ssh -i ~/.ssh/id_rsa admin#public_ip
It says:
Permission denied (publickey).
Any idea? What is the user I shall use?
your problem is very probably related to the permissions of the pub key copied on the container or to the configuration of your key.
You could check the permissions of key copied on the container, sshd is really strict on permissions for the authorized_keys files: if authorized_keys is writable for anybody other than the user or can be made writable by anybody other than the user, sshd will refuse to authenticate (unless sshd is configured with StrictModes no)
Moreover such a problem won't be showed using ssh -v, it will showed only on daemon logs (on the container)
From man sshd(8):
~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in
as this user. The format of this file is described above. The
content of the file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by
others.
If this file, the ~/.ssh directory, or the user's home directory
are writable by other users, then the file could be modified or
replaced by unauthorized users. In this case, sshd will not
allow it to be used unless the StrictModes option has been set to
“no”.
So I suggest you to check about the files and directories permissions.
Then check that the content of your pub key has been copied correctly on authorized_keys listing
/root/.ssh/authorized_keys
To access the container with the ssh key you need to use the "root" user.
ssh -i ~/.ssh/id_rsa root#<ip address>
Trying to connect Cloud9 to my Digital Ocean droplet and I'm getting:
Cloud9 couldn't connect to SSH server
I've added the ssh public key into my .ssh/authorized_keys file and I know I can connect via ssh. Is there any way to get more info than just that is can't connect?
David
You need to add public key from your profile to .ssh/authorized_keys (not hosts) and make sure that .ssh/authorized_keys file belongs to you and have can be read written only by the owner (should say -rw------- when doing ls -la ~/.ssh)
To get a bit more info, you can try SSHing into your server from one of your other Cloud9 workspaces. Since your Cloud9 SSH key is the same across all workspaces, you'll be able to check if your key has been properly added to the server this way.
I wasn't able to figure out how to get more info on this but I was able to figure out that it was permissions on the .ssh/authorized_keys file / directory. Thanks again for all the help
David
Just finished chatting with cloud9 support and got this working. It's important to note that there are THREE items that require specific permissions:
you user home folder (~) folder should be drwxr-xr-x
your ~/.ssh folder should be drwx------
your ~/.ssh/authorized_keys folder should be -rw-------
Here's in my case
check your instance security groups and ACL
check your sshd_config, ssh, and PAM auth (default is fine, but in my case I mistakenly set PubKeyAuthentication to No), I tried to mimic the ssh connection with ssh -vvv user#ip_address from another server (after putting the public key in the ~/.ssh/authorized_keys file), make sure it's -rw-------
check for the files and folders permission, especially in the ~/.ssh folder
check incoming connection errors in /var/log/auth.log
check for node js if it's installed
put the node path (use which node command)
I am trying to connect to a Centos 6.3 Server using an SSH Key so I can run a script remotely without it asking for a password everytime. I have followed the following instructions:
Login to the server using the normal ssh command and password one time so the server adds your computer to the known hosts
In your computer using cygwin-terminal generate the keys and leave the passphrase blank:ssh-keygen -t rsa
Now set permissions on your private key and ssh folder:chmod 700 ~/.ssh & chmod 600 ~/.ssh/id_rsa
Copy the public key (id_rsa.pub) to the server, login to the server and add the public key to the authorized_keys list: cat id_rsa.pub >> ~/.ssh/authorized_keys
Once you've imported the public key, you can delete it from the server. Set file permissions on the server: chmod 700 ~/.ssh & chmod 600 ~/.ssh/authorized_keys
Retart the ssh daemon on the server: service sshd restart
Test the connection from your computer:ssh root#198.61.220.107
But when I try to ssh to the remote server it is still asking me for the password. The .ssh folder was not created on the server so I had to created myself. Any ideas of what might be happening? did I miss something? Is there another way to set up the keys?
Well it turns out I had stupidly changed the owner of the /root directory when I was setting up the server so since this is where the /.ssh directory was for the user I was trying to loggin with (root) it was denying access to that directory because it belonged to another user.
Dec 10 16:25:49 thyme sshd[9121]: Authentication refused: bad ownership or modes for directory /root
I changed the owner back to root and that did it.
chown root /root
Thanks guys for you help.
Apparently this is a known bug. The suggested solution doesn't actually work, but I found that this would on a CentOS 6.2 system at work:
chmod 600 .ssh/authorized_keys
chmod 700 .ssh
Althogh OP had found a solution, I would like to record my solution of similar problem in the hope that it will be helpful to those who google similar problem and reach this answer.
The reason of my issue is that the .ssh directory in the user's home folder on CentOS server was not set a proper mode after being created by useradd command.
In addition, I need to manually set .ssh folder mode by following commands:
chmod g-w /home/user
chmod 700 /home/user/.ssh
chmod 600 /home/user/.ssh/authorized_keys
Other answers are generic, note that Centos 6 uses selinux. selinux can deny access to the authorised_keys file despite correct permissions and ownership
From the known issues in Centos 6 Release Notes:
Make sure that you setup correctly the selinux context of the public key if you transfer it to a CentOS 6 server with selinux
enabled. Otherwise selinux might forbid access to the
~/.ssh/authorized_keys file and by matter of consequence key
authentication will not work. In order to setup the correct context
you can use:
restorecon -R -v /home/user/.ssh
ssh-copy-id from CentOS 6 is aware of selinux contexts and the previous workaround is not needed.
I was given some login information for an EC2 machine, basically an ec2-X-X-X.compute-X.amazonaws.com plus a username and password.
How do I access the machine? I tried sshing:
ssh username#ec2-X-X-X.compute-X.amazonaws.com
but I get a Permission denied, please try again. when I enter the password. Is sshing the right way to access the EC2 machine? (Google hits I found suggested that you could ssh into the machine, but they also used keypairs.) Or is it more likely that the problem is that I was given invalid login credentials?
If you are new to AWS and need to access a brand new EC2 instance via ssh, keep in mind that you also need to allow incoming traffic on port 22.
Assuming that the EC2 instance was created accepting all the default wizard suggestions, access to the machine will be guarded by the default security group, which basically prohibits all inbound traffic. Thus:
Go to the AWS console
Choose Security Groups on the left navigation pane
Choose default from the main pane (it may be the only item in the list)
In the bottom pane, choose Inbound, then Create a new rule: SSH
Click Add rule and then Apply Rule Changes
Next, assuming that you are in possession of the private key, do the following:
$ chmod 600 path/to/mykey.pem
$ ssh -i path/to/mykey.pem root#ec2-X-X-X.compute-X.amazonaws.com
My EC2 instance was created from a Ubuntu 32-bit 12.04 image, whose configuration does not allow ssh access to root, and asks you to log in as ubuntu instead:
$ ssh -i path/to/mykey.pem ubuntu#ec2-X-X-X.compute-X.amazonaws.com
Cheers,
Giuseppe
Our Amazon AMI says to "Please login as the ec2-user user rather than root user.", so it looks like each image may have a different login user, e.g.
ssh -i ~/.ssh/mykey.pem ec2-user#ec2-NN-NNN-NN-NN.us-foo-N.compute.amazonaws.com
In short, try root and it will tell you what user you should login as.
[Edit] I'm supposing that you don't have AWS management console credentials for the account, but if you do, then you can navigate to the EC2->Instances panel of AWS Management Console, right click on the machine name and select "Connect..." A list of the available options for logging in will be displayed. You will (or should) need a key to access an instance via ssh. You should have been given this or else it may need to be generated.
If it's a Windows instance, you may need to use Remote Desktop Connection to connect using the IP or host name, and then you'll also need a Windows account login and password.
The process of connecting to an AWS EC2 Linux instance via SSH is covered step-by-step (including the points mentioned below) in this video.
To correct this particular issue with SSH-ing to your EC2 instance:
The ssh command you ran is not in the correct format. It should be:
ssh -i /path/my-key-pair.pem ec2-user#ec2-198-51-100-1.compute-1.amazonaws.com
Note, you need access to the private key (.pem) file to use in the command above. AWS prompts you to download this file when you first launch your instance. You will need to run the following command to ensure that only your root user has read-access to it:
chmod 400 /path/to/yourKeyFile.pem
Depending on your Linux distribution, the user you need to specify when you run ssh may be one of the following:
For Amazon Linux, the user name is ec2-user.
For RHEL, the user name is ec2-user or root.
For Ubuntu, the user name is ubuntu or root.
For Centos, the user name is centos.
For Fedora, the user name is ec2-user.
For SUSE, the user name is ec2-user or root.
Otherwise, if ec2-user and root don't work, check with your AMI provider.
You need to enable an inbound SSH firewall. This can be done under the Security Groups section of AWS. Full details for this piece can be found here.
For this you need to be have a private key it's like keyname.pem.
Open the terminal using ctrl+alt+t.
change the file permission as a 400 or 600 using command chmod 400 keyname.pem or chmod 600 keyname.pem
Open the port 22 in security group.
fire the command on terminal ssh -i keyname.pem username#ec2-X-X-X.compute-X.amazonaws.com
Indeed EC2 (Amazon Elastic Compute Cloud) does not allow password authentication to their instances (linux machines) by default.
The only allowed authentication method is with an SSH key that is created when you create the instance. During creation they allow you to download the SSH key just once, so if you loose it, then you have to regenerate it.
This SSH key is only for the primary user - usually named
"ec2-user" (Amazon Linux, Red Hat Linux, SUSE Linux)
"root" (Red Hat Linux, SUSE Linux)
"ubuntu" (Ubuntu Linux distribution)
"fedora" (Fedora Linux distribution)
or similar (depending on distribution)
See connection instructions: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html
If you want to add a new user the recommended way is to generate and add a new SSH key for the new user, but not specify a password (which would be useless anyway since password authentication is not enabled by default).
Managing additional users: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-users.html
After all if you want to enable password authentication, which lowers down the security and is not recommended, but still you might need to do that for your own specific reasons, then just edit
/etc/ssh/sshd_config
For example:
sudo vim /etc/ssh/sshd_config
find the line that says:
PasswordAuthentication no
and change it to
PasswordAuthentication yes
Then restart the instance
sudo reboot
After restarting, you are free to create additional users with password authentication.
sudo useradd newuser
sudo passwd newuser
Add the new user to the sudoers list:
sudo usermod -a -G sudo newuser
Make sure user home folder exists and is owned by the user
sudo mkdir /home/newuser
sudo chown newuser:newuser /home/newuser
New you are ready to try and login with newuser via ssh.
Authentication with ssh keys will continue to work in parallel with password authentication.
I'm working to set up Panda on an Amazon EC2 instance.
I set up my account and tools last night and had no problem using SSH to interact with my own personal instance, but right now I'm not being allowed permission into Panda's EC2 instance.
Getting Started with Panda
I'm getting the following error:
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
Permissions 0644 for '~/.ec2/id_rsa-gsg-keypair' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
I've chmoded my keypair to 600 in order to get into my personal instance last night, and experimented at length setting the permissions to 0 and even generating new key strings, but nothing seems to be working.
Any help at all would be a great help!
Hm, it seems as though unless permissions are set to 777 on the directory, the ec2-run-instances script is unable to find my keyfiles.
I've chmoded my keypair to 600 in order to get into my personal instance last night,
And this is the way it is supposed to be.
From the EC2 documentation we have "If you're using OpenSSH (or any reasonably paranoid SSH client) then you'll probably need to set the permissions of this file so that it's only readable by you." The Panda documentation you link to links to Amazon's documentation but really doesn't convey how important it all is.
The idea is that the key pair files are like passwords and need to be protected. So, the ssh client you are using requires that those files be secured and that only your account can read them.
Setting the directory to 700 really should be enough, but 777 is not going to hurt as long as the files are 600.
Any problems you are having are client side, so be sure to include local OS information with any follow up questions!
Make sure that the directory containing the private key files is set to 700
chmod 700 ~/.ec2
To fix this,
you’ll need to reset the permissions back to default:
sudo chmod 600 ~/.ssh/id_rsa
sudo chmod 600 ~/.ssh/id_rsa.pub
If you are getting another error:
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/geek/.ssh/known_hosts).
This means that the permissions on that file are also set incorrectly, and can be adjusted with this:
sudo chmod 644 ~/.ssh/known_hosts
Finally, you may need to adjust the directory permissions as well:
sudo chmod 755 ~/.ssh
This should get you back up and running.
I also got the same issue, but I fix it by changing my key file permission to 600.
sudo chmod 600 /path/to/my/key.pem
The private key file should be protected. In my case i have been using the public_key authentication for a long time and i used to set the permission as 600 (rw- --- ---) for private key and 644 (rw- r-- r--) and for the .ssh folder in the home folder you will have 700 permission (rwx --- ---). For setting this go to the user's home folder and run the following command
Set the 700 permission for .ssh folder
chmod 700 .ssh
Set the 600 permission for private key file
chmod 600 .ssh/id_rsa
Set 644 permission for public key file
chmod 644 .ssh/id_rsa.pub
Change the File Permission using chmod command
sudo chmod 700 keyfile.pem
On windows, Try using git bash and use your Linux commands there. Easy approach
chmod 400 *****.pem
ssh -i "******.pem" ubuntu#ec2-11-111-111-111.us-east-2.compute.amazonaws.com
Keep your private key, public key, known_hosts in same directory and try login as below:
ssh -I(small i) "hi.pem" ec2-user#ec2-**-***-**-***.us-west-2.compute.amazonaws.com
Same directory in the sense,
cd /Users/prince/Desktop.
Now type ls command
and you should see
**.pem **.ppk known_hosts
Note: You have to try to login from the same directory or you'll get a permission denied error as it can't find the .pem file from your present directory.
If you want to be able to SSH from any directory, you can add the following to you ~/.ssh/config file...
Host your.server
HostName ec2-user#ec2-**-***-**-***.us-west-2.compute.amazonaws.com
User ec2-user
IdentityFile ~/.ec2/id_rsa-gsg-keypair
IdentitiesOnly yes
Now you can SSH to your server regardless of where the directory is by simply typing ssh your.server (or whatever name you place after "Host").
Just to brief the issue, that pem files permissions are open for every user on machine i.e any one can read and write on that file
On windows it difficult to do chmod the way I found was using a git bash.
I have followed below steps
Remove user permissions
chmod ugo-rwx abc.pem
Add permission only for that user
chmod u+rw
run chmod 400
chmod 400 abc.pem
4.Now try ssh -i for your instance
If you are on a windows machine just copy the .pem file into C drive any folder and
re-run the command.
ssh -i /path/to/keyfile.pem user#some-host
In my case, I put that file in downloads and this actually works.
Or follow this https://99robots.com/how-to-fix-permission-error-ssh-amazon-ec2-instance/
I am thinking about something else, if you are trying to login with a different username that doesn't exist this is the message you will get.
So I assume you may be trying to ssh with ec2-user but I recall recently most of centos AMIs for example are using centos user instead of ec2-user
so if you are
ssh -i file.pem centos#public_IP please tell me you aretrying to ssh with the right user name otherwise this may be a strong reason of you see such error message even with the right permissions on your ~/.ssh/id_rsa or file.pem
The solution is to make it readable only by the owner of the file, i.e. the last two digits of the octal mode representation should be zero (e.g. mode 0400).
OpenSSH checks this in authfile.c, in a function named sshkey_perm_ok:
/*
* if a key owned by the user is accessed, then we check the
* permissions of the file. if the key owned by a different user,
* then we don't care.
*/
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
error("###########################################################");
error("# WARNING: UNPROTECTED PRIVATE KEY FILE! #");
error("###########################################################");
error("Permissions 0%3.3o for '%s' are too open.",
(u_int)st.st_mode & 0777, filename);
error("It is required that your private key files are NOT accessible by others.");
error("This private key will be ignored.");
return SSH_ERR_KEY_BAD_PERMISSIONS;
}
See the first line after the comment: it does a "bitwise and" against the mode of the file, selecting all bits in the last two octal digits (since 07 is octal for 0b111, where each bit stands for r/w/x, respectively).
sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/id_rsa
sudo chmod 600 ~/.ssh/id_rsa.pub
The above 3 commands should solve the problem!
Just a note for anyone who stumbles upon this:
If you are trying to SSH with a key that has been shared with you, for example:
ssh -i /path/to/keyfile.pem user#some-host
Where keyfile.pem is the private/public key shared with you and you're using it to connect, make sure you save it into ~/.ssh/ and chmod 777.
Trying to use the file when it was saved elsewhere on my machine was giving the OP's error. Not sure if it is directly related.