Permission denied (public key) on AWS Linux instance

Issue: I cannot SSH into my amazon web service (AWS) instance.

There are a many threads on this, but these issues were resolved by changing the login username. My problem does not appear to be fixed by a different username. Previous questions that were answered by changing login username can be found at:


Here is the verbose output from the SSH attempt:

/development/aws$ > ssh -vvv -i "/development/aws/cgwebsites-wp.pem" ec2-user@52.24.142.84
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 52.24.142.84 [52.24.142.84] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/development/aws/cgwebsites-wp.pem" as a RSA1 public key
debug1: identity file /development/aws/cgwebsites-wp.pem type -1
debug1: identity file /development/aws/cgwebsites-wp.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "52.24.142.84" from file "/Users/cgood92/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 114/256
debug2: bits set: 518/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA b5:4d:14:77:0a:8b:54:2c:5e:38:8d:8d:7b:91:da:2f
debug3: load_hostkeys: loading entries for host "52.24.142.84" from file "/Users/cgood92/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
The authenticity of host '52.24.142.84 (52.24.142.84)' can't be established.
RSA key fingerprint is b5:4d:14:77:0a:8b:54:2c:5e:38:8d:8d:7b:91:da:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '52.24.142.84' (RSA) to the list of known hosts.
debug2: bits set: 534/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /development/aws/cgwebsites-wp.pem (0x0), explicit
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /development/aws/cgwebsites-wp.pem
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey: RSA 0b:e9:55:d9:db:d5:a6:d7:c5:6e:2d:0c:fc:0c:1f:2b
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

So my issue is this Permission denied (publickey). problem.


Here is what I have done to debug it.

1) I have verified that I am using the correct elastic ip address. I have also tried using the longer Public DNS address, with the exact same results. So I am sure that I have the correct HOST.

2) I have made sure the security group rules allow SSH. First of all, it was already set to allow TCP incoming traffic on port 22. Just to be safe, I added a rule to allow all TCP incoming traffic for all ports, for all ip addresses. Outgoing traffic has a rule to allow everything to everywhere.

3) I have verified that I am using the correct Key pair name. It is located under the "EC2" > "instance" > "Key pair name". It says "cgwebsites-wp", and I have the correct key pair name located locally at /development/aws/cgwebsites-wp.pem, as shown above in my verbose output. I've also verified that my path to that file is correct, because when I put something bogus like /development/aws/cgwebsites-wp222.pem, the errors tell me specifically that they could not find the file.

4) I have tried several different usernames, as suggested by every and all posts to this question on other links. To be more specific, I have tried admin, ubuntu, root, ec2-user, fedora. I even tried the ID found at "EC2" > "instance" > "AMI ID". None work, all produce similar messages.

5) I have tried this on a windows computer (had to create private key packet using puttyGen), as well as a mac computer. Same error on both.

6) I have tried this on another AWS instance of mine, and everything works fine there. So my Amazon account is fine.

7) I have tried deleting all SSH cache files (in Windows cleared some registry sections, and on mac I've ran ssh-keygen -R 52.24.142.84.

8) I've checked to make sure the instance is up and running, and it has a green light, plus I can access the site via the elasticbeanstalk url.

9) I have tried changing the permissions of the .pem file by both of the commands chmod 600 /development/aws/cgwebsites-wp.pem and chmod 400 /development/aws/cgwebsites-wp.pem.

10) This isn't a firewall issue or something like that, because I can SSH into my other AWS instance.

11) Naturally I have terminated and re-instated several linux instances, all with this same error.

12) I know this is not an issue with a corrupt .pem file, because I am using that exact same file to SSH into my other AWS instance.

This has been a very frustrating issue. It seems like many people have had similar problems to mine, but almost everybody solved it by changing the username. I've tried that, including the suggestions and script at https://alestic.com/2014/01/ec2-ssh-username/. But nothing.

Any help would be so appreciated!

Answers


Looks like the keypair was bad. Try generating a new keypair, downloading it, and using that. The process can be found at: https://stackoverflow.com/a/4921866/4512451


This has happened once over here. I duplicated an instance and I was never able to SSH into it, I literally spent hours trying to SSH. I had to remove the instance and then I installed the same key pair again, it worked!


Need Your Help

swig xcb lib and ruby

ruby swig xcb

I want to create a basic ruby module for xcb for my own use.

Gray screen on c++ opencv

c++ windows visual-studio-2010 opencv

I have searched a lot about my simple problem but I didn't find solution. When I run my code black console shows me the camera frame size but in the window video is not showing, it shows a solid gray