Login/Register
"Server Refused our key" after launching instance from private EBS AMI
Asked Answered
amazon-ec2amazon-web-servicescentosamazon-amikey-pair
B

14

25

I have created my own EBS AMI, shared it with another AWS account, launched NEW instance based on this image with NEW key-pair and now when I am trying to connect to this new instance I am getting error: "Server Refused our key".

This is what I did (step by step):

  1. Configured new CentOS 6.3 server in my personal account (with my personal key-pair)
  2. Created EBS AMI image of that server
  3. Shared this image with my client's account
  4. Launched new instance in my clients account based on this shared image + new key-pair
  5. New launched instance doesnt want to take new key-pair. After some testing I figure that it accepts my personal key-pair instead.

How do I make new instance from my image to accept new key-pairs? I even tried removing ".ssh/authorized_keys" file in original image, launch new instance based on this image without public key and still no success.

Please advise how to create images that would not be attached to old key-pairs

Bael answered 23/7, 2012 at 14:11 Comment(8)
How did you create the new key-pair ? Did you let AWS create it or did you create it with some other tool ?Legge
Hello David, I created it with AWS when I was launching new instance. Didn't do it manually.Bael
And what ssh client are you using ?Legge
When you look in /home/ec2-user/.ssh/authorized_keys, do you see the new public key, your old personal key, or both ?Legge
In both locations: ".ssh/authorized_keys" and " /home/ec2-user/.ssh/authorized_keys" only one - old personal public keyBael
Did you start with an existing public AMI or did you create your own AMI from scratch ?Legge
I used this AMI: aws.amazon.com/amis/centos-6-3-ebs-backedBael
I met the same problem. Have we got a conclusion?Leif
P
43

I had a similar problem with that error message and here is how I fixed it. Hope this helps you, or someone else who is stuck and finds their way here:

  1. In the AWS Console ensure your instance is healthy and running
  2. Check you have used the correct public DNS address, listed when you click on an instance
  3. Select Security Groups from left hand side and click on the security group you want to use
  4. Click the Inbound tab
  5. From the Create a new rule: dialog select SSH
  6. In source put your IP address and CIDR value. If its just you don't have a NAT on your network just use 32 as your CIDR (eg. ?.?.?.?/32)
  7. Click Add Rule
  8. Click Apply Rule Changes
  9. Right click on your instance and select Create Image (EBS AMI)
  10. Give it an Image Name in the Create Image wizard and click Create
  11. After a short time select AMI's from the left hand nav bar in AWS console
  12. Right click on the new AMI and click Launch Instance
  13. On the Request Instances Wizard click Continue until you have to Create Key Pair
  14. Choose a key pair and make note of it (NOTE: If you haven't still got your .pem file for this key pair you will need to generate a new one from selecting Key Pairs on left hand navbar, Create Key Pair etc. to obtain .pem file)
  15. Select security group with the rule you created for your IP address (and CIDR of 32 - no subnet mask)
  16. Click continue, and on the next screen click Launch
  17. Go back to the Instances view and wait until your Instance is fully initialized and healthy
  18. Open PuttyGEN
  19. Click Conversions from the Toolbar, and Import Key
  20. Navigate to your .pem key in the file browser and open it
  21. Select SSH-1 (RSA) from the Parameters box
  22. Put your key pair name in the Key comment box (just for good house keeping)
  23. Click Save private key and save the .ppk file somewhere on your file system
  24. Open Putty
  25. Enter the public DNS for your EC2 instance in the Host Name box
  26. Enter port 22
  27. Tick SSH radio button from the Connection Type box
  28. Click on SSH from the Connection tree in the left hand side nav bar
  29. Click on Auth
  30. Click Browse in the Authentication parameters box, and open your .ppk file
  31. Click Session from the left hand nav bar
  32. Enter a name for this connection in the Saved Sessions text box, and click Save (this is so you don't have to go through the putty connection set up each time, and can just double click your saved connection - for those unaware)
  33. Click Open
  34. When prompted for a login name you will probably use 'ec2-user' or 'ubuntu' (TIP: use 'root' and you will probably get a message telling you what username you should use instead!)
  35. No need for a password, the .ppk file will authenticate you
  36. Hopefully, you're now connected to the EC-2 instance and good to go!
Peruse answered 8/1, 2013 at 16:40 Comment(4)
"TIP: use 'root' and you will probably get a message telling you what username you should use instead!" - very creative!Hagiology
great, ec2-user was the user.Freezing
Also creating the Image was just for prudence? It doesn't have anything to do with SSH does it? Otherwise, thanks!Sunny
am i the only one for whom this unfortun. doesnt work?Tarbox
R
16

I had this issue with a new SUSE instance. I was finally able to connect using user 'root'. It kept rejecting ec2-user.

Rask answered 9/1, 2014 at 17:17 Comment(2)
Found this to be a helpful answer. I chose the Ubuntu 12.04 image and had to login using the ubuntu user instead of ec2-user.Systaltic
in my case its typo ubantu instead should be ubuntu, coming from windows background :)Anticline
P
14

After following the steps given here and in other posts, I also had to update Putty to the current version. Then it all worked.

Permanganate answered 12/8, 2022 at 14:28 Comment(4)
I was using PuTTY 0.74 and got No supported authentication methods available (server sent: publickey). After upgrading to PuTTY 0.77 the problem is gone.Rhodie
This is actually mentioned in the AWS troubleshooting page and is (as it turns out) more important than indicatedUnceasing
{ "v0.73": "fail", "v0.78": "ok" } - No need to do any other thing other than updating putty. No configs, no anything.Clearway
Wow, indeed. Putty needs to be updated in order to connect. v0.73 - no luck, v78 - works as expected.Heaves
G
13

this means that you are not using correct user name for logging into your ec2 instance. here is list of users you can use in putty to connect to ec2 instance For an Amazon Linux AMI, the user name is ec2-user. For a RHEL5 AMI, the user name is either root or ec2-user. For an Ubuntu AMI, the user name is ubuntu. For a Fedora AMI, the user name is either fedora or ec2-user. For SUSE Linux, the user name is either root or ec2-user. Otherwise, if ec2-user and root don't work, check with the AMI provider.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectingPuTTY

Gunter answered 7/3, 2016 at 19:28 Comment(1)
It was "centos" in my case.Girvin
D
12

In AWS Servers with different tools, the ssh key doesn't work

Error usually faced is

Server refused our key
No supported authentication methods available (server sent: publickey)

open the /etc/ssh/sshd_config file and add the below code

PubkeyAcceptedAlgorithms +ssh-rsa

and save the file and systemctl restart sshd to restart the sshd service or in some cases like now in ubuntu 23 or etc. we can restart the service systemctl restart ssh Hopefully you key will work perfectly

Dominiquedominium answered 16/8, 2022 at 17:14 Comment(5)
This is what fixed it for me on the Ubuntu AMIAyurveda
worked for me as well.Eraste
Fixed it for me using Ubuntu AMI (ubuntu-jammy-22.04-amd64-server-20230115)Society
Won't restart sshd (systemctl restart ssdhd) on Rocky Linux. The complaint is '4119 ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY (code=exited, status=255)'Filippa
What a fix! Thanks a lot.Wintergreen
L
3

Since your AMI originates from a community AMI and not an official public AMI, it is possible that it has not been setup to copy the ssh keys on instance startup, or that it uses a different mechanism to do it.

My understanding is that for the ssh keys to be copied on startup, some shell script must be run inside the instance itself, as briefly described here.

The AMI description page mentions that it has been "cloud-init enabled", so maybe there is a way to do it through CloudInit. See the doc here.

Legge answered 23/7, 2012 at 17:51 Comment(0)
Z
2

I had this issue and it turned out I was typing ec2_user when it was meant to be ec2-user

Zeke answered 27/6, 2018 at 9:35 Comment(1)
I keep forgetting that sometimes the user is "centos" instead of "ec2-user". This jogged my memory though.Girvin
B
1

In my case I was using Elastic Beanstalk and had not assigned my key pair to my configuration before launching it. To fix this:

  1. Go to your app in elastic beanstalk
  2. Navigate to configuration
  3. Scroll to security and select Edit
  4. Add your key pair to the instance
  5. Click save and try connecting again once the configuration has been applied
Baudelaire answered 25/4, 2021 at 17:2 Comment(0)
I
0

It could be only one reason to show Server Refused our key.

That is: server's Key Pair and Username combination is not correct, i have faced many times.

Inexistent answered 24/10, 2016 at 9:3 Comment(1)
This was actually the correct answer for me, I was typing ec2_user instead of ec2-user. So the down vote is a bit harsh.Zeke
J
0

By default, Amazon will append the new key with the existing one. We can resolve it by mounting the drive on other active instance, and remove the content from file .ssh/authorized_keys and add the your pem keys file of your new key.

Jasonjasper answered 8/5, 2017 at 10:6 Comment(0)
D
0

i resolved my issue by choosing user as ubuntu for AWS ubuntu machin. So please verify correct user account and machine type.

Please see below link for it: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html

Dobsonfly answered 16/8, 2019 at 11:46 Comment(0)
C
0

I am just updating my case too as an answer. I used to connect using hostname ec2-38-239-22-12.us-east-2.compute.amazonaws.com(Public IPv4 DNS) with a saved section in putty. Yesterday I stopped the instance and started facing this issue while trying to connect this morning, after booting instance(aws) this morning.

SOLUTION: Public IPv4 DNS record (ec2-38-239-22-12.us-east-2.compute.amazonaws.com)got changed after reboot. Logged to AWS Console and updated putty section with new record. this solved the issue !!

Cylix answered 28/2, 2021 at 11:20 Comment(0)
S
0

Problem: You are providing either incorrect username or host address to connect it using PuTTY.

Solution: Here are the steps you can follow to fix the issue.

1) Login into AWS console, and select your EC2 instance, and then click on Connect button. enter image description here

2) Then click on SSH Client tab, and below will be your details enter image description here

3) Copy the username with host address something like username@your_host_address, and enter it in the PuTTY. Then click on Auth, and provide .ppk file that you downloaded while creating Key Pair (if you downloaded .pem file, then make sure to convert it to .ppk using PuTTyGen first).

enter image description here

Alternatively, you can try these usernames ec2-user, ubuntu, root

Stalemate answered 7/5, 2023 at 17:15 Comment(0)
M
0

In my case, the problem was Putty. When I was launching the EC2 instance in the AWS Console, I set up a .pem keypair (to connect by another SSH client no Putty) instead of .ppk keypair and connection works

Mckenziemckeon answered 9/2 at 21:9 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.