Having trouble logging into an AWS instance using an SSH key? I was too and when I finally figured out what the issue was I was kicking myself. Recently I was called to assist figuring out information about a clients AWS deployment for a project where the original developers were no longer available or answering questions. Most of the instances that I initially worked on had no issues once I was able to obtain the correct SSH key pem file from Amazon. When the project was closing down I was asked to assist backing things up and it appeared the SSH key was failing for two of the instances which also happened to be the oldest two instances (2 years old). Below I describe the error I was seeing via SSH as well as the easy resolution to the problem.
I typically use SecureCRT for SSH so the first error displayed below is from SecureCRT. The text from the error is printed below the image so if someone else attempts to locate an answer with the error that SecureCRT was providing they will easily find it here.
SecureCRT Error Logging Into AWS Instance With SSH-Key:
SecureCRT Error Logging Into AWS Instance With SSH-Key Text:
The server recognized your public key, <ssh-agent>, but none of the known signature mechanisms were accepted. This normally means that the server you are connecting to does not comply with any of the supported standards. If you are connecting to a 2.0.12 server (either the non-commerical or the F-Secure version), public key authentication is not approved.
OSX Terminal Error Logging Into AWS Instance With SSH-Key:
Next I attempted to login using SSH from a OSX Terminal window as sometimes SecureCRT can act differently when using ssh-keys. In this instance however I was still receiving an error as noted below.
- Users-MacBook-Pro:~ User$ ssh -i aws.pem -v root@ec2.us-west-1.compute.amazonaws.com
- Warning: Identity file aws.pem not accessible: No such file or directory.
- OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
- debug1: Reading configuration data /etc/ssh_config
- debug1: /etc/ssh_config line 20: Applying options for *
- debug1: /etc/ssh_config line 53: Applying options for *
- debug1: Connecting to ec2.us-west-1.compute.amazonaws.com [204.236.161.X] port 22.
- debug1: Connection established.
- debug1: identity file /Users/User/.ssh/id_rsa type 1
- debug1: identity file /Users/User/.ssh/id_rsa-cert type -1
- debug1: identity file /Users/User/.ssh/id_dsa type -1
- debug1: identity file /Users/User/.ssh/id_dsa-cert type -1
- debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
- debug1: match: OpenSSH_5.5 pat OpenSSH*
- debug1: Enabling compatibility mode for protocol 2.0
- debug1: Local version string SSH-2.0-OpenSSH_5.9
- debug1: SSH2_MSG_KEXINIT sent
- debug1: SSH2_MSG_KEXINIT received
- debug1: kex: server->client aes128-ctr hmac-md5 none
- debug1: kex: client->server aes128-ctr hmac-md5 none
- debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
- debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
- debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
- debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
- debug1: Server host key: RSA bf:2f:d4:a2:0e:33:33:02:43:69:c1:2a:22:bb:c5:b1
- debug1: Host 'ec2.us-west-1.compute.amazonaws.com' is known and matches the RSA host key.
- debug1: Found key in /Users/User/.ssh/known_hosts:21
- debug1: ssh_rsa_verify: signature correct
- debug1: SSH2_MSG_NEWKEYS sent
- debug1: expecting SSH2_MSG_NEWKEYS
- debug1: SSH2_MSG_NEWKEYS received
- debug1: Roaming not allowed by server
- debug1: SSH2_MSG_SERVICE_REQUEST sent
- debug1: SSH2_MSG_SERVICE_ACCEPT received
- debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
- debug1: Next authentication method: publickey
- debug1: Offering RSA public key: "2048-bit RSA, converted by User@xinfectedxwinxme.ak.question"
- debug1: Server accepts key: pkalg ssh-rsa blen 279
- debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
- debug1: Offering RSA public key: /Users/User/.ssh/id_rsa
- debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
- debug1: Trying private key: /Users/User/.ssh/id_dsa
- debug1: No more authentication methods to try.
- Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
- Users-MacBook-Pro:~ User$
As you can see above permission denied on the last line by spitting out the error “Permission denied (publickey,gssapi-keyex,gssapi-with-mic).”.
Now the good news. It is likely that there will not be many people that run into this issue as my scenario was unique coming in after all of the instances had been configured. Turns out that the two instances I could not login (they were running Fedora 14) to were using AMI’s that configure the ec2-user user to use the ssh-key instead of the root user! So if you change your username from root to ec2-user you should be able to login without issue.
Initially I was over thinking the problem and so if I had done a little searching first I would have been able to figure out the username was incorrect and then been able to search for default instance usernames and would have been able to resolve the issue much quicker by finding that ec2-user is used on some AWS AMI’s by default.
Thanks a lot for your timely help! Now I will stop scratching my head.