Recently I needed to add a new admin account on my EC2 instance, but once I created the account, I couldn’t SSH into the server for some reason. I was getting denied with Permission denied (publickey).
error message.
I tried the usual tips, such as:
1) Ensuring that the permissions on the user’s .ssh folder are 700 and permissions on the files inside 600.
cd ~ chmod 700 .ssh chmod 600 .ssh/*
2) Ensuring that the public key has been correctly copied inside the authorized_keys file:
cd ~/.ssh cat id_rsa.pub > authorized_keys
I even tried to regenerate the key pair and triple-checked that I was using the correct username and IP address in my ssh
command. Still no dice.
Next I tried to use ssh
in verbose mode:
ssh -2 -i id_rsa yourusername@yourserveripaddress -v
.
Sample output:
OpenSSH_5.6p1, OpenSSL 0.9.8y 5 Feb 2013 debug1: Reading configuration data /Users/pixelninja/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: Applying options for * debug1: Connecting to 123.456.789.123 [123.456.789.123] port 22. debug1: Connection established. debug1: identity file id_rsa type -1 debug1: identity file id_rsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1 Debian-7ubuntu1 debug1: match: OpenSSH_5.8p1 Debian-7ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.6 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '123.456.789.123' is known and matches the RSA host key. debug1: Found key in /Users/pixelninja/.ssh/known_hosts:3 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: id_rsa debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. Permission denied (publickey).
This can oftentimes be helpful, but didn't give me much to go on in this case.
4) Then I thought of checking out the auth.log
on the server: tail -f /var/log/auth.log
I saw this:
Feb 20 12:20:01 ip-10-146-6-243 CRON[14781]: pam_unix(cron:session): session opened for user smmsp by (uid=0) Feb 20 12:20:01 ip-10-146-6-243 CRON[14781]: pam_unix(cron:session): session closed for user smmsp Feb 20 12:20:04 ip-10-146-6-243 sshd[14806]: User pixelninja from myipaddress not allowed because not listed in AllowUsers
Ah, got ya!
Open your SSH config file: sudo vi /etc/ssh/sshd_config
In the #Authentication
section make sure that your username is in AllowUsers:
# Authentication: LoginGraceTime 120 PermitRootLogin yes AllowUsers ubuntu pixelninja StrictModes yes
Restart your SSH service: sudo service ssh restart
Try to ssh
into your instance again.