Permission denied (publickey) When SSH’ing into EC2

Posted on February 24, 2014 in Development

Recently I needed to add a new admin account on my EC2 instance, but once I created the account, I couldn’t SSH into the server for some reason. I was getting denied with Permission denied (publickey). error message.

I tried the usual tips, such as:

1) Ensuring that the permissions on the user’s .ssh folder are 700 and permissions on the files inside 600.

cd ~
chmod 700 .ssh
chmod 600 .ssh/*

2) Ensuring that the public key has been correctly copied inside the authorized_keys file:

cd ~/.ssh
cat id_rsa.pub > authorized_keys

I even tried to regenerate the key pair and triple-checked that I was using the correct username and IP address in my ssh command. Still no dice.

Next I tried to use ssh in verbose mode:

ssh -2 -i id_rsa yourusername@yourserveripaddress -v.

Sample output:

OpenSSH_5.6p1, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /Users/pixelninja/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug1: Connecting to 123.456.789.123 [123.456.789.123] port 22.
debug1: Connection established.
debug1: identity file id_rsa type -1
debug1: identity file id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1 Debian-7ubuntu1
debug1: match: OpenSSH_5.8p1 Debian-7ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '123.456.789.123' is known and matches the RSA host key.
debug1: Found key in /Users/pixelninja/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

This can oftentimes be helpful, but didn't give me much to go on in this case.

4) Then I thought of checking out the auth.log on the server: tail -f /var/log/auth.log

I saw this:

Feb 20 12:20:01 ip-10-146-6-243 CRON[14781]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Feb 20 12:20:01 ip-10-146-6-243 CRON[14781]: pam_unix(cron:session): session closed for user smmsp
Feb 20 12:20:04 ip-10-146-6-243 sshd[14806]: User pixelninja from myipaddress not allowed because not listed in AllowUsers

Ah, got ya!

Open your SSH config file: sudo vi /etc/ssh/sshd_config

In the #Authentication section make sure that your username is in AllowUsers:

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
AllowUsers ubuntu pixelninja
StrictModes yes

Restart your SSH service: sudo service ssh restart

Try to ssh into your instance again.

Enjoyed this post? Share it with others.
Share on email
Email
Share on facebook
Facebook
Share on google
Google
Share on twitter
Twitter

Leave a reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.