Unable to ssh into ec2 instance with .pem keypair

I created a new temporary ec2 instance (using a snapshot of my original ec2 instance) ang generated a mykeypair.pem file to use as a keypair that I hoped would allow me to connect to my virtual machine in order to make some file changes. (I generated ssh keys on a new laptop and therefore need to connect to my ec2 instance to add the updated public key to authorized_keys so that I can access my original ec2 instance. I am unable to access my old ssh private key)

With mykeypair.pem moved to ~/.ssh/mykeypair.pem, I ran

$ ssh -v  -i "mykeypair.pem" ubuntu@ec2-<ip-addr>.us-west-2.compute.amazonaws.com

in /Users/me/.ssh. The result was...

OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/me/.ssh/config
debug1: /Users/me/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to ec2-<ip-addr>.us-west-2.compute.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file mykeypair.pem type -1
debug1: identity file mykeypair.pem-cert type -1
debug1: identity file /Users/me/.ssh/mykeypair.pem type -1
debug1: identity file /Users/me/.ssh/mykeypair.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000002
debug1: Authenticating to ec2-<ip-addr>.us-west-2.compute.amazonaws.com:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<redacted>
debug1: Host 'ec2-<ip-addr>.us-west-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/me/.ssh/known_hosts:6
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:<redacted>
debug1: Authentications that can continue: publickey
debug1: Offering public key: RSA SHA256:<redacted>
debug1: Authentications that can continue: publickey
debug1: Offering public key: ED25519 SHA256:<redacted>
debug1: Authentications that can continue: publickey
debug1: Offering public key: RSA SHA256:<redacted> 
debug1: Authentications that can continue: publickey
debug1: Trying private key: mykeypair.pem
debug1: identity added to agent: mykeypair.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/me/.ssh/mykeypair.pem
debug1: identity added to agent: /Users/me/.ssh/mykeypair.pem
Received disconnect from <ip addr> port 22:2: Too many authentication failures for ubuntu
Disconnected from <ip addr> port 22

These are my ~/.ssh/config file contents:

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/mykeypair.pem

Running only using the generated keypair (what I assumed the below command is doing)

ssh -v -o 'IdentitiesOnly yes'  -i "mykeypair.pem" ubuntu@ec2-<ip-addr>.us-west-2.compute.amazonaws.com

results in

OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/me/.ssh/config
debug1: /Users/me/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to ec2-<ip-addr>.us-west-2.compute.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file mykeypair.pem type -1
debug1: identity file mykeypair.pem-cert type -1
debug1: identity file /Users/me/.ssh/mykeypair.pem type -1
debug1: identity file /Users/me/.ssh/mykeypair.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000002
debug1: Authenticating to ec2-<ip-addr>.us-west-2.compute.amazonaws.com:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<redacted>
debug1: Host 'ec2-<ip-addr>.us-west-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/me/.ssh/known_hosts:6
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: mykeypair.pem
debug1: identity added to agent: mykeypair.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/me/.ssh/mykeypair.pem
debug1: identity added to agent: /Users/me/.ssh/mykeypair.pem
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
ubuntu@ec2-<ip-addr>.us-west-2.compute.amazonaws.com: Permission denied (publickey).

I created the instance with this new generated keypair (see screenshot) at the last step when I launched the ec2 instance.

Screenshot of how I created the keypair

Why isn't this working/what do I need to do to fix it?

Edit: changing the username to ec2-user@ec2-... or bitmani@ec2-... does not work


Solution 1:

What you described should work. The only thing I can think of is your using the wrong pem file, IP address, or something.

What I would recommend doing is:

  • Generate a new keypair on your computer.
  • Starting a fresh instance with that key pair.
  • Make sure you can log in
    • If you cant, use the out of band browser based connection to connect to the instance.
    • Drop your new key in "authorized_keys"
    • Delete the old keys
  • Snapshot the new instance.

Specific Steps

Generating Keypair

ssh-keygen -t ed25519
It's going to ask you what name you want to save it under. Make sure you're not overwriting something else. It's going to generate a and .pub.

Aside: What is -t ed25519? There are different public key encryption schemes. RSA is one, eliptic curve is another. This particular key type is faster, smaller, more cryptographically secure -- just all around better in almost every way than RSA. The only problem is some stuff doesn't support it. AWS supports it though so your good.

Importing the public key into AWS

  1. Under the EC2 pages, on the left, you'll see a page under "Network & Security" that says "Key Pairs". Click there. The left pane on AWS console with "Key Pairs" selected

  2. Now go to "Actions" -> "Import Key"

  3. Give it a good name. Import the .pub file.

Starting an instance using your keys

When you go through the flow of starting an instance, when you click Launch, it pulls up a window that asks what keys you want in the instance. From the dropdown select your new keys.

Oh no! It still doesn't work!

Olright the next step is making a connection another way and manually putting the ssh keys in there.

How to connect from the browser

  1. In the "Instances" tab, select your instance then go to "Actions" -> "Connect"
  2. In the next page, don't change anything, just hit "Connect". Now you should be at a terminal.

How to add ssh keys to authorized_keys file.

  1. I'm assuming you know how to use vim or nano or echo "stuf" >> file.
  2. Append the contents of your .pub to ~/.ssh/authorized_keys on a new line. Save
  3. Profit