Permission denied (public key) ssh ec2 instance mac

Question

Update2:

$ ls -ld ~/.ssh
drwx------  8 user  staff  272  2 Oct 17:51 /Users/user/.ssh
$ ls -la ~/.ssh/config/file.pem 
-r--------@ 1 user staff 1692 2 Oct 17:11 /Users/user/.ssh/config/file.pem 
$ ls -la file.pem 
-rw-------@ 1 user staff 1692 2 Oct 17:11 localfile.pem

Update:

After switching -i and -v flags I now get:

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/user/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug1: Connecting to ec2-XX-XX-XXX-XXX.areacode.compute.amazonaws.com [IP] port 22.
debug1: Connection established.
debug1: identity file file.pem type -1
debug1: identity file file.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA fingerprint
debug1: Host 'ec2-XX-XX-XXX-XXX.ap-areacode.compute.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /Users/user/.ssh/known_hosts:11
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: file.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

Im trying to ssh into amazon linux ec2 instance from my mac terminal. I followed these instructions: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

But I get Permission denied (publickey)

My security settings allow my public ip to ssh.

It initially succeeded in:

Permanently added 'ec2-XX-XX-XXX-XXX.areacode.compute.amazonaws.com,YY.YY.YYY.YYY' (RSA) to the list of known hosts.

$ ssh -i ec2vb.pem e2c-user@ec2-XX-XX-XXX-XXX.ap-areacode.compute.amazonaws.com
Permission denied (publickey).

$ ssh -i -v /path/to/ec2/file.pem e2c-user@ec2-XX-XX-XXX-XXX.areacode.compute.amazonaws.com
Warning: Identity file -v not accessible: No such file or directory.
ssh: Could not resolve hostname /Developer/folder/ec2/file.pem: nodename nor servname provided, or not known

I also tried updating permission to chmod key 600 and copying my key to user .ssh/config folder?

You need to flip the `-i` and `-v` flags. The path to the ssh key needs to follow the `-i` flag immediately. — Gene, Oct 02 '14 at 08:54
thanks @Gene i now get more debugging info. I also noticed that when i originally downloaded the pem file, i named it as `my.key.pem` but it downloaded as `mykey.pem` and shows as `my.key.pem` on aws console. anyhow, i tried renaming it too and still get same result. — jskye, Oct 02 '14 at 09:09
Please do an `ls -ld ~/.ssh` and `ls -la .ssh/file.pem`. I'm wondering if the permissions are incorrect. — Gene, Oct 02 '14 at 09:19
Your name is in the comment as well. You'll want to remove it there too. Also `~/.ssh/config` should be a file, not a directory. OpenSSH expects it to be a file. Also, your pem file has extended attributes on it. That will need to be removed. Run `xattr -l` against it. Whatever the attribute is you can remove it with the `xattr -d file.pem`. It's probable the attribute for where it was downloaded from so this might work: `xattr -d com.apple.metadata:kMDItemWhereFroms file.pem` — Gene, Oct 02 '14 at 09:36
i created an empty config file in .ssh, what is supposed to be in it? (there was none by default). i removed the apple and google chrome metadata on the local pem file. There is also: com.apple.quarantine: %%;Google Chrome;%% — jskye, Oct 02 '14 at 09:54
[Here is a helpful page](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) that covers the ~/.ssh/config file. — Gene, Oct 02 '14 at 09:56

Gene · Answer 1 · 2014-10-02T10:10:16.253

OpenSSH is particular with how keys are stored and used. Do the following:

1) Create and ensure your ~/.ssh directory has the correct permissions:

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ ls -ld ~/.ssh
drwx------ 2 username group 4096 Jun 10 19:47 /Users/username/.ssh

2) Copy the private key (in your case the .pem file) to the ~/.ssh directory and set the appropriate permissions:

$ cp ~/Downloads/filename.pem ~/.ssh/filename.pem
$ chmod 600 ~/.ssh/filename.pem

3) Since you are using OS X make sure Finder didn't set any unnecessary extended attributes and remove them:

$ xattr -l ~/.ssh/filename.pem
$ xattr -d <attr_name> ~/.ssh/filename.pem

4) Now you can try using the key:

$ ssh -i ~/.ssh/filename.pem username@remote.hostname.com

5) Once you have verified this work you can use the ~/.ssh/config file to make connecting to the remote host easier, rather than having to manually specify the identity file to use. For example:

Host remote.hostname.com
  User username
  IdentityFile ~/.ssh/filename.pem

From this point forward you can just run ssh remote.hostname.com to connect to your remote server.

just tried this again. exactly how youve explained. I still get `Permission Denied (public key)` — jskye, Oct 02 '14 at 10:18
i think i might try DigitalOcean. thanks for your help though. — jskye, Oct 02 '14 at 10:27
i was able to SFTP like this `https://www.youtube.com/watch?v=e9BDvg42-JI` but still cant SSH — jskye, Oct 02 '14 at 11:14

score 1 · Accepted Answer · edited May 05 '16 at 20:57

debug1: Trying private key: file.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

Your client sent the key to to the server, and the server didn't accept it. As far as your client cares, your private key and local file and directory permissions are all fine. You need to troubleshoot this from the server side. I don't know how EC2 servers are special, but if this were a normal Unix server, you'd check the following:

Look for messages in the server's log from sshd.
Check permissions the e2c-user's home directory and .ssh directory on the server.
Check the permissions for the ~ec2-user/.ssh/authorized_keys file on the server.
Check that the public key for this private key that you're trying to use is actually in authorized_keys on the server. This can be done by going to the EC2 server-->Instances-->(select your instance)-->Description-->Key pair name (This should be the same as the name of the key you are using)

ive moved to DigitalOcean for now but thanks for this info – jskye Oct 04 '14 at 06:01 — jskye, Oct 04 '14 at 06:01

Permission denied (public key) ssh ec2 instance mac

2 Answers2