Login/Register
Permission denied on Amazon LightSail
Asked Answered
Solved sshamazon-lightsail
H

4

9

Login works with LightsailDefaultPrivateKey-eu-west-1.pem but not with my own key-pair.

I tried to generate the keys with 'ssh-keygen -t rsa -b 4096 -C "[email protected]" -f ~/.ssh/lsail-mikemittererat-eu-west-1.pem'

I also tried to generate a key on AWS/S2, dowloaded it, generated a public key out of the private key and uploaded it to LightSail - the same result. It doesn't work.

Error-Message: ssh -i ~/.ssh/ssh_my-website ubuntu@ Permission denied (publickey).

This is what I get if I use the -v option:

ssh -v -i ~/.ssh/lsail-mikemittererat-eu-west-1.pem ubuntu@<public ip>

OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to <public ip> [<public ip>] port 22.
debug1: Connection established.
debug1: identity file /Users/mikemitterer/.ssh/lsail-mikemittererat-eu-west-1.pem type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mikemitterer/.ssh/lsail-mikemittererat-eu-west-1.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to <public ip>:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client [email protected] <implicit> none
debug1: kex: client->server [email protected] <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:6u6vqWOSbOSNiPYAOqa5q/epSntR7GG5dvFzKuUAJOQ
debug1: Host '<public ip>' is known and matches the ECDSA host key.
debug1: Found key in /Users/mikemitterer/.ssh/known_hosts:38
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/mikemitterer/.ssh/lsail-mikemittererat-eu-west-1.pem
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

permission of .pem is set to 600, .ssh ist set to 700

Hornstone answered 2/3, 2018 at 17:24 Comment(0)
I
20

I was able to get this to work as follows:

  1. Generated the SSH keypair as you described above (ssh-keygen -t rsa -b 4096 -C "[email protected]" -f ~/certs/test.pem)

  2. changed permissions on the private key file (chmod 600 test.pem)

  3. ssh'd into the instance using the lightsail integrated console and added the public key to the ~/.ssh/authorized_keys file

  4. I was able to access the instance using ssh -i ~/certs/lightsail.pem ubuntu@

Let me know if this works, or if I'm missing something.

Isidroisinglass answered 29/6, 2018 at 22:10 Comment(2)
Thanks this works perfectly! Here is an alternative way: Under account create a new private key and download it. E.g. CamSync.pem - this is the private key. chmod 600 CamSync.pem. ssh-keygen -f CamSync.pem -y - this prints out the public key. Continue with your step 3Hornstone
@MikeMitterer Your comment should be added to the Lightsail docs. Thank you for taking the time to point this out :)Steffi
J
11

I had same issue for hours, and finally solved it. Here is what I did:

Download the pem file into a folder.

Then run this:

$chmod 600 KEYFILE.pem

And this:

$ssh -i "KEYFILE.pem" bitnami@your_static_ip

As I remember, I've tried the same thing as you, but it didn't work.

Jackinthebox answered 19/5, 2018 at 13:35 Comment(1)
This a different problem. The OP had created their own key, and wanted to upload it to the instance. What you describe is using the default ssh key that Lightsail provides (the ONLY key you can download from Lightsail is the default one from the Ligthsail service - you cannot download a key that you previously uploaded).Isidroisinglass
O
2

I followed all of the steps listed in Add new user accounts with SSH access using an AWS key and a 3rd-party generated key and still got the <USER>@<HOSTNAME>: Permission denied (publickey) error. It turned out that I needed to fix the directory permissions for my custom home directory location and had nothing to do with how I generated the key or uploaded it to the instance.

The required directory permissions detailed in the Troubleshoot "Permission denied (publickey)" knowledge-base article state that the following permissions should be used:

  1. The parent directory of the user's home directory (e.g. /home): 755
  2. The user's home directory (e.g. /home/ec2-user): 700
  3. The user's .ssh/ directory (e.g. /home/ec2-user/.ssh): 0700
  4. The user's authorized_keys file (e.g. /home/ec2-user/.ssh/authorized_keys): 600

Once my directory permissions were correct, my configured key started working.

Otolith answered 29/10, 2020 at 2:44 Comment(0)
F
1

If the other solutions provided did not work, you might need to check to make sure the username you want to ssh is the owner of .bash_logout, .bashrc, .profile, .ssh and the authorized_keys and known_hosts inside .ssh.

You can login with your main bitnami username to check the above using ls -lash and change them using chown if needed. For example,

sudo chown yoursshusername .bash_logout

Foulup answered 19/1, 2023 at 23:58 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.