2

Please help me understand how I can solve my SSH problem:

I can SSH into my EC2 instance running Ubuntu 10.10 'Maverick Meerkat' no problem with:

$ ssh -i MyEC2Key.pem ubuntu@ec2-01-LALALALALALA.eu-west-1.compute.amazonaws.com

My issue arises when I try the same thing with the new user that I have created:

$ ssh -i MyEC2Key.pem robert@ec2-01-LALALALALALA.eu-west-1.compute.amazonaws.com

Unfortunately when trying this I get the following error message:

Permission denied (publickey).

I don't understand what I am missing and am relatively new to most of this stuff. All I want is for this new user to have admin rights and full SSH access. These are the steps I have gone through, all remotely logged in as user ubuntu and doing edits with vim. If someone could let me know what I am missing or have misunderstood here it would much appreciated.

  • I have created a new user called robert
  • I have added that user to the group admin

  • I have added the following to /etc/sudoers

    root    ALL=(ALL) ALL   (that line was already there)  
robert ALL=(ALL) ALL    (that line was what I added)

  • I have added the following line to /etc/ssh/sshd_config

    AllowUsers robert ubuntu root

  • I have restarted the ssh daemon

  • I have logged out as ubuntu and attempted to ssh back in as robert in a new terminal

Still stuck. Just to sanity check, yes I can log in as robert by SSHing in as ubuntu and using sudo su robert but that is not what I require - I need to be able to SSH in as robert direct.

Here is the debug stuff from attempting to SSH in as robert with debug flags:

$ ssh -v -i MyEC2Key.pem robert@ec2-01-LALALALALALA.eu-west-1.compute.amazonaws.com  
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009  
debug1: Reading configuration data /etc/ssh_config  
debug1: Connecting to ec2-01-LALALALALALA.eu-west-1.compute.amazonaws.com [XX.XXX.XX.XXX] port 22.  
debug1: Connection established.  
debug1: identity file MyEC2Key.pem type -1  
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4  
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH*  
debug1: Enabling compatibility mode for protocol 2.0  
debug1: Local version string SSH-2.0-OpenSSH_5.2  
debug1: SSH2_MSG_KEXINIT sent  
debug1: SSH2_MSG_KEXINIT received  
debug1: kex: server->client aes128-ctr hmac-md5 none  
debug1: kex: client->server aes128-ctr hmac-md5 none  
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent  
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP  
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent  
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY  
debug1: Host 'ec2-01-LALALALALALA.eu-west-1.compute.amazonaws.com' is known and matches the RSA host key.  
debug1: Found key in /Users/robmccardle/.ssh/known_hosts:4  
debug1: ssh_rsa_verify: signature correct  
debug1: SSH2_MSG_NEWKEYS sent  
debug1: expecting SSH2_MSG_NEWKEYS  
debug1: SSH2_MSG_NEWKEYS received  
debug1: SSH2_MSG_SERVICE_REQUEST sent  
debug1: SSH2_MSG_SERVICE_ACCEPT received  
debug1: Authentications that can continue: publickey  
debug1: Next authentication method: publickey  
debug1: Trying private key: MyEC2Key.pem  
debug1: read PEM private key done: type RSA  
debug1: Authentications that can continue: publickey  
debug1: No more authentication methods to try.  
Permission denied (publickey).
jdgregson
  • 109
  • 5
Rob McCardle
  • 135
  • 10

2 Answers2

4

To use the same key for both accounts. Do the following

sudo cp -r /home/ubuntu/.ssh /home/robert/
cd /home/robert
sudo chown -R robert:robert .ssh

This would just copy the public key corresponding to your private key (MyEC2Key.pem) to robert's account. This would also keep the appropriate permissions required for /home/robert/.ssh/authorized_keys.

(Please don't do the above for two existing users with a number of authorized keys for several obvious reasons! -- It is only suggested as a simple solution for setting up new users on EC2 using the default 'ubuntu' user)

Now you should be able to do the following:

ssh -i MyEC2Key.pem robert@ec2-01-LALALALALALA.eu-west-1.compute.amazonaws.com

If this does not work just make sure that you have the right restricted permissions (compare /home/ubuntu/.ssh and /home/robert/.ssh and the permissions for authorized_keys file)

If it still doesn't work for you there are two alternatives:

1) Generate a new key pair on robert's local machine and add the public key to /home/robert/.ssh/authorized_keys (on EC2 instance)

The instructions can be found here: http://www.ece.uci.edu/~chou/ssh-key.html

2) On EC2, you can allow ssh to accept password based authentication (Disabled by default). 

sudo nano /etc/ssh/sshd_config

and modify

PasswordAuthentication no

to

PasswordAuthentication yes

This would allow you to ssh using password.

Bilal Sheikh
  • 156
  • 4
  • Hey, thanks for your assistance. Tried your initial step verbatim but no joy. I can confirm that I can indeed SSH in using the password but this is inconvenient as mine is super strong and therefore not memorable. The permissions and ownership settings are correct on the folders and yet ssh as the new user still does not work. I think generating my own keys is the only way forward and I don't mind that much as this has several advantages. I've been busy on other matters but once I have a solution I will update the post. Thanks all – Rob McCardle Mar 02 '11 at 17:35
  • @BilalSheikh Thanks, you solution helped me perfectly! – modulitos Apr 22 '15 at 07:40
3

It seems like permissions are getting you on the directory. Ensure the permissions are set correctly on your /home/user/.ssh directory. 

chmod -R o-rwx ~/.ssh
toddward
  • 43
  • 5
  • Hi, thanks for your response although I'm afraid that this has not solved the issue. I was also not sure whether you meant that I should perform this chmod locally or on EC2 SSH'd in as ubuntu. As additional info, my .pem file is stored locally in a separate directory to ~/.ssh. I know this .pem works as this is the same key I log in as Ubuntu with that I downloaded from EC2. Do I need a separate key for a new user? I applied the permissions you said to all 3 possible locations: ~/.ssh (local) ~/.ssh (ec2 SSH'd in as ubuntu) ~/myproj/mydircontaingmypem (local) I still can't SSH in as robert – Rob McCardle Feb 23 '11 at 10:01
  • I have also tried copying the knownhosts file containing the EC2 reference to MyEC2Key.pem from /home/ubuntu/.ssh across to the new user /home/robert/.ssh (I did this logged in as the appropriate user, created the folder and file in bash and set the permissions again on both. I restarted sshd.But I still can't SSH in as robert – Rob McCardle Feb 23 '11 at 10:51