AWS SSH connection error: Permission denied (publickey)

23
votes

Im trying to connect to my EC2 instance with SSH and Iḿ getting crazy. I have read this post and tried all user combinations:

AWS ssh access 'Permission denied (publickey)' issue

Its still not working for me. Any idea what am I missing?

  roberto@ubuntu:~/keys$ ssh -v -i ec2-key-pair.pem [email protected]
OpenSSH_6.6, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ec2-54-72-242-0.eu-west-1.compute.amazonaws.com [54.72.242.0] port 22.
debug1: Connection established.
debug1: identity file ec2-key-pair.pem type -1
debug1: identity file ec2-key-pair.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e4:06:ee:a5:a5:d2:97:5f:0f:b7:06:5e:f2:b3:da:26
debug1: Host 'ec2-54-72-242-0.eu-west-1.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/roberto/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ec2-key-pair.pem
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

UPDATE:

According to @aldanux suggestions:

    roberto@ubuntu:~/keys$ ssh-keygen -R 54.72.242.0
# Host 54.72.242.0 found: line 4 type ECDSA
/home/roberto/.ssh/known_hosts updated.
Original contents retained as /home/roberto/.ssh/known_hosts.old
roberto@ubuntu:~/keys$ ssh -i ec2-key-pair.pem [email protected]
Warning: Permanently added the ECDSA host key for IP address '54.72.242.0' to the list of known hosts.
Permission denied (publickey).
9
amazon-web-servicessshamazon-ec2ssh-keys
It looks like ec2-key-pair.pem is invalid/corrupt, "key_parse_private2: missing begin marker".PlasmaPower
@PlasmaPower see my comments below. Thanks.Rober
I made a detail tutorial here if it may helpphanvugiap

9 Answers

4
votes

Try this steps:

ssh-keygen -R 54.72.242.0

sudo chmod 600 ec2-key-pair.pem

and then:

ssh -i ec2-key-pair.pem [email protected]
34
votes

You are probably logging in as the wrong user. If it's a Ubuntu instance the command would be:

ssh -v -i ec2-key-pair.pem [email protected]
16
votes

While not specific to AWS, this unhelpful error message

debug1: key_parse_private2: missing begin marker

will occur under a handful of obscure scenarios, such as when the ownership (or the permissions) on the SSH user's home directory are incorrect on the remote machine.

The best way to troubleshoot this and similar obscure messages is to examine the authorization log on the remote machine, provided you have access, as it will usually pinpoint the problem. On Debian and Ubuntu systems, this is most easily accomplished with tail (use sudo as appropriate):

tail -f -n 80 /var/log/auth.log

In my particular case, I found

Authentication refused: bad ownership or modes for directory /var/www

Perfectly accurate and concise: the owner:group was set to daemon:daemon when it should have been www-data:www-data (this was on a Ubuntu machine that must have had some other web-server installed in the past).

5
votes

I had a similar issue, "key_parse_private2: missing begin marker" while using username 'ec2-user' but it got fixed when I changed to ubuntu as the user.

1
votes

Another thing to check is PermitRootLogin and AllowUsers in /etc/ssh/sshd_config.

This debug1: key_parse_private2: missing begin marker appears even after successful key authorization if your user access restricted.

0
votes

Yes, indeed quite misleading message. In my case I used wrong key for instance.

We had need to removed key pair and created new one, except that our instance kept using old one(because you can't do it that easy).

The error message was the same so it's worth to check key name in your aws panel of instance match the key pair that you use in key paris.

0
votes

Logging in as "admin" worked for me. Based on your instance type the login user changes. ec2-user or ubuntu or in my case admin. ssh -v -i ./my_key_file.pem [email protected]

Also ensure the permission for the pem file is 600 chmod 600 ./my_key_file.pem

0
votes

One easy way to get this error is a corrupt .pem file.

For example, if the last line is missing, you get "missing begin marker".

Make sure the .pem ends with:

-----END RSA PRIVATE KEY-----

-3
votes

Many problems may cause the connectivity issue: Please review the following settings:

  1. AWS security group settings and check the ssh port 22 policy
  2. Check the firewall setting you are using in your lan connection
  3. Generate the ssh-keygen on your local machine and add to aws linux server for future safety.
  4. Regenerate the new ssh key in the panel.
  5. Check your ipblacklist on mxtoolbox if you are using firewall on the aws linux server.

Please try above all if possible to overcome the error. Let me know if its working or not.