Permission Denied (publickey) When SSH Access to Amazon EC2 Instance

Sources

Amazon EC2 Knowledge Center: How do I fix 'Permission denied (publickey)' errors when I connect to my Amazon EC2 Linux instance?

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/describe-keys.html#retrieving-the-public-key

Steps to Fix

1. Stop the Newly Created Instance

   • After creating a new instance, stop it.

2. Assign a Static IP

   • Go to Network & Security > Elastic IP and add a static IP to the instance to prevent IP change when the instance stops.
   • Stopping and starting the instance changes the public IP address of your instance. It's a best practice to use an Elastic IP address instead of a public IP address when routing external traffic to your instance.

3. Locate or Create a New Key

   • Remember the .pem or .ppk file downloaded when creating an instance? Locate this file. If needed, create a new key:
     • Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
     • In the left navigator, choose Key Pairs.
     • You can view the information about each public key in the Key Pairs table.

4. Retrieve the Public Key Material

   • To retrieve the public key material from the private key, use the ssh-keygen command on your local Linux or macOS computer. Specify the path where you downloaded your private key (the .pem file).
   • Command: ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem
   • The command returns the public key. If the command fails, ensure you've changed the permissions on your private key pair file so that only you can view it by running chmod 400 key-pair-name.pem.

5. Prepare User Data Script

   • Replace the placeholder @@@@@@ with the user name associated with the AMI you launched your instance from.
   • Change the example YOUR_SSH_KEY_HERE key with the extracted key from the previous steps.
   • We will copy this data script for later

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
  - [scripts-user, always]
 
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
OS_USER=@@@@@@
chown root:root /home 
chmod 755 /home
chmod 700 /home/$OS_USER
chmod 700 /home/$OS_USER/.ssh
chmod 600 /home/$OS_USER/.ssh/authorized_keys
echo 'ssh-rsa YOUR_SSH_KEY_HERE' >> /home/$OS_USER/.ssh/authorized_keys
chown $OS_USER:$OS_USER /home/$OS_USER -R

6. Prepare To Paste

   • Open the Amazon EC2 console.

   • Choose Instances from the navigation pane, and then select the instance you are trying to launch.

   • Stop the instance.

   • Choose Actions, Instance settings, Edit User Data.

   • Copy the step 5 data script into the Edit User Data dialog box, and then choose Save.

   • Start your instance again

7. SSH to your instance

   • navigate to the .pem location on your pc and run:

   ssh -i "my-test-server.pem" [email protected]

   • don't forget to use the correct user for the server

Default user names

The default user name for your EC2 instance is determined by the AMI that was specified when you launched the instance.

The default user names are:

• For AL2023, Amazon Linux 2, or the Amazon Linux AMI, the user name is ec2-user.

• For a CentOS AMI, the user name is centos or ec2-user.

• For a Debian AMI, the user name is admin.

• For a Fedora AMI, the user name is fedora or ec2-user.

• For a RHEL AMI, the user name is ec2-user or root.

• For a SUSE AMI, the user name is ec2-user or root.

• For an Ubuntu AMI, the user name is ubuntu.

• For an Oracle AMI, the user name is ec2-user.

• For a Bitnami AMI, the user name is bitnami.

Note

To find the default user name for other Linux distributions, check with the AMI provider.