78

Recently I set up a new EC2 instance. The next day I was not able to connect to my instance via ssh. I could connect and disconnect the day before, I am sure I did nothing. Here is ssh debug info:

ssh -i webserver.pem -v ubuntu@my.elastic.ip
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to my.elastic.ip [my.elastic.ip] port 22.
debug1: Connection established.
debug1: identity file webserver.pem type -1
debug1: identity file webserver.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
Connection closed by my.elastic.ip

Is there a way to resolve this issue? Or shall I reinstall my instance again?

PS rights to my .pem are set to 600.

halfer
  • 19,824
  • 17
  • 99
  • 186
Victor Davydov
  • 783
  • 1
  • 5
  • 6
  • duplicate of http://stackoverflow.com/questions/14466368/amazon-aws-ec2-instance-cant-connect-with-ssh ? – richvdh Mar 17 '15 at 16:15
  • 11
    it's often easy to forget the "ubuntu@" when you paste in the long current connection URL! – Fattie Jun 29 '19 at 18:20

11 Answers11

453

My problem was that the username was incorrect. On ubuntu instances it should be "ubuntu" and on amazon instances it should be "ec2-user".

Tyler
  • 6,741
  • 3
  • 22
  • 19
  • 7
    I kinda wish this answer appeared first, since it is the safer option (you don't want to configure your Sec Group to be publicly open unless you've exhausted all other possibilities!) – olisteadman Sep 04 '19 at 16:12
  • I feel this should be visible high up in the answers since users would usually spin up an ubuntu instance. Same issue for me. – scientific_explorer Sep 10 '19 at 16:21
  • 1
    I think the issue is mainly because [aws documentation on ssh access](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html) does imply the user **ec2-user** + in the aws.console on instance at no point does it mention the default username for a freshly created instance. Not best work from Amazon, sorry! – humanityANDpeace Oct 11 '19 at 09:42
  • If it's an Ubuntu AMI, username should be `ubuntu` – Pedram Nov 30 '19 at 22:08
  • 1
    They should state this in this page https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html .It is a bit of wasting time for me :) – icn Dec 04 '19 at 17:48
  • Is this specified in the AWS documentation? if not, why? Why should the username be 'ubuntu'? – Manachi Apr 07 '20 at 01:47
45

Often times, you should use the default user name for the AMI that you used to launch your instance:

  • For Amazon Linux 2 or the Amazon Linux AMI, the user name is
    ec2-user.

  • For a CentOS AMI, the user name is centos.

  • For a Debian AMI, the user name is admin or root.

  • For a Fedora AMI, the user name is ec2-user or fedora.

  • For a RHEL AMI, the user name is ec2-user or root.

  • For a SUSE AMI, the user name is ec2-user or root.

  • For an Ubuntu AMI, the user name is ubuntu.

    Otherwise, if ec2-user and root don't work, check with the AMI provider.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connection-prereqs.html#connection-prereqs-get-info-about-instance

Community
  • 1
  • 1
KingNonso
  • 712
  • 7
  • 7
16

Please check your username. if you are using ubuntu instance try using "ubuntu" in username instead of "ec2-user", and vice-versa

Shubham Goel
  • 1,962
  • 17
  • 25
15

Check your security group. Make sure that you have an outbound rule that allows traffic to return from the instance.

With the default outbound rule

type: All traffic, Protocol: All, Ports: All, Destination: 0.0.0.0/0

it will work.

Sven Dukat
  • 306
  • 2
  • 4
1

(1) Please check when you execute the ssh command, are you in the same folder where you put your pem key. Else you should use "ssh -i /your_key_path /mykey.pem".

(2) If that doesn't help. I think you could create another key and set your EC2 instance through AWS webpage. Then try again.

Freya Ren
  • 2,086
  • 6
  • 29
  • 39
  • Freya Ren, thank you for your response. Yes, path to .pem file is set correctly. I doublechecked this. I am not allowed to associate other key to my instance through web interface. I have created a snapshot before this issue came up, any suggestions how this can be helpful? Thank you. – Victor Davydov Jun 07 '13 at 21:14
  • It is weird as the error shows "webserver.pem not accessible: No such file or directory". Maybe you should try this "chmod -R go-wrx ~/.ssh". Or, you should double check whether the instance is terminated or it uses another key. If that still doesn't work, I guess you should start another instance and try. – Freya Ren Jun 08 '13 at 00:21
  • I have updated debug log, So I had the same problem with my previous instance, this is why I had to set up a new one, I don't have any ideas why it is broken as I didn't change anything on my end... – Victor Davydov Jun 08 '13 at 08:51
  • I have just created another instance and I can connect to it. So I'd rather set everything up again. – Victor Davydov Jun 08 '13 at 16:01
  • @VictorDavydov, this happens for me frequently to not be able to re-connect to an instance to which I could connect before. In my case it's because my ISP is occasionally changing my home IP address. So in that case I go into the AWS console and edit the security to group, and select again "My IP" in the SSH Allow From. After that I am again able to connect. – Sorin Postelnicu Dec 26 '18 at 08:50
0

I had this problem and it turned out the PEM file was incorrect. You can check following the instructions in Amazon EC2 Key Pairs - Verifying Your Key Pair's Fingerprint:

If you created your key pair using AWS, you can use the OpenSSL tools to generate a fingerprint from the private key file:

$ openssl pkcs8 -in path_to_private_key -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c

If you created your key pair using a third-party tool and uploaded the public key to AWS, you can use the OpenSSL tools to generate a fingerprint from the private key file on your local machine:

$ openssl rsa -in path_to_private_key -pubout -outform DER | openssl md5 -c

The output should match the fingerprint that's displayed in the console.

parsley72
  • 8,449
  • 8
  • 65
  • 98
0

I had the same issue, Its the problem of the permissions you give to pem private key file. Make sure you run ssh command in the terminal with the sudo (Administrative) Access.

magixster magixster
  • 1
0

I have the same issue but i fixed it by "restarting" the EC2. Note that restarting EC2 does not change its IP address but stopping and starting it again does change it.

It was an easy fix but make sure you can bear the small downtime. In my case website stopped working suddenly.

Sahil Gupta
  • 58
  • 1
  • 7
0

Solved this issue by creating a new private key file/pair.

The problem arose while I wanted to reuse an existing key a few days after its creation. Then, just use the commands provided here

David Thery
  • 669
  • 1
  • 6
  • 21
0

I had this problem with an ubuntu vm, so:

  1. the security groups with 22/tcp access was ok
  2. the user name is ubuntu, ok
  3. accessed using the pem key and
  4. /var/log/auth.log was showing the session end in the preauth stage (not ok)
  5. Noticed there's a missing package: ec2-instance-connect (ref: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-connect-troubleshooting/) (not ok)
  6. sudo apt install ec2-instance-connect

After that, got access through instance connect

FabricioFCarv
  • 474
  • 4
  • 5
0

I had this problem when using EC2 instance connect. I finally could connect after downgrading my Ubuntu version from 22 to 20.

Steve Lukis
  • 420
  • 4
  • 10