AWS SSH connection error: Permission denied (publickey)

Question

Im trying to connect to my EC2 instance with SSH and Iḿ getting crazy. I have read this post and tried all user combinations:

AWS ssh access 'Permission denied (publickey)' issue

Its still not working for me. Any idea what am I missing?

  roberto@ubuntu:~/keys$ ssh -v -i ec2-key-pair.pem ec2-user@ec2-54-72-242-0.eu-west-1.compute.amazonaws.com
OpenSSH_6.6, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ec2-54-72-242-0.eu-west-1.compute.amazonaws.com [54.72.242.0] port 22.
debug1: Connection established.
debug1: identity file ec2-key-pair.pem type -1
debug1: identity file ec2-key-pair.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e4:06:ee:a5:a5:d2:97:5f:0f:b7:06:5e:f2:b3:da:26
debug1: Host 'ec2-54-72-242-0.eu-west-1.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/roberto/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ec2-key-pair.pem
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

UPDATE:

According to @aldanux suggestions:

    roberto@ubuntu:~/keys$ ssh-keygen -R 54.72.242.0
# Host 54.72.242.0 found: line 4 type ECDSA
/home/roberto/.ssh/known_hosts updated.
Original contents retained as /home/roberto/.ssh/known_hosts.old
roberto@ubuntu:~/keys$ ssh -i ec2-key-pair.pem ec2-user@ec2-54-72-242-0.eu-west-1.compute.amazonaws.com
Warning: Permanently added the ECDSA host key for IP address '54.72.242.0' to the list of known hosts.
Permission denied (publickey).

It looks like `ec2-key-pair.pem` is invalid/corrupt, `"key_parse_private2: missing begin marker"`. — PlasmaPower, Apr 30 '14 at 15:57
I made a [detail tutorial](https://www.beehexa.com/devdocs/aws/how-to-connect-to-aws-ec2-linux-instance-using-ssh/) here if it may help — phanvugiap, Jan 27 '21 at 10:14

Rico · Answer 1 · 2014-04-30T22:37:13.003

34

You are probably logging in as the wrong user. If it's a Ubuntu instance the command would be:

ssh -v -i ec2-key-pair.pem ubuntu@ec2-54-72-242-0.eu-west-1.compute.amazonaws.com

edited Apr 30 '14 at 22:37

answered Apr 30 '14 at 21:34

Rico

48,741
12
84
107

3

In my case, we had been using Ubuntu so I was used to using the ubuntu user: ubuntu@host. I was getting this error when testing the Amazon Linux AMI. For Amazon Linux you must connect as ec2-user@host – Michael Rush Mar 10 '15 at 16:11
This is the answer I was looking for.. Tnx:) – Dilip Rajkumar Aug 27 '16 at 08:33

score 16 · Answer 2 · answered Aug 04 '15 at 19:39

16

While not specific to AWS, this unhelpful error message

debug1: key_parse_private2: missing begin marker

will occur under a handful of obscure scenarios, such as when the ownership (or the permissions) on the SSH user's home directory are incorrect on the remote machine.

The best way to troubleshoot this and similar obscure messages is to examine the authorization log on the remote machine, provided you have access, as it will usually pinpoint the problem. On Debian and Ubuntu systems, this is most easily accomplished with tail (use sudo as appropriate):

tail -f -n 80 /var/log/auth.log

In my particular case, I found

Authentication refused: bad ownership or modes for directory /var/www

Perfectly accurate and concise: the owner:group was set to daemon:daemon when it should have been www-data:www-data (this was on a Ubuntu machine that must have had some other web-server installed in the past).

answered Aug 04 '15 at 19:39

Ben Johnson

2,227
2
23
25

Thank you very much. The permissions of the .ssh directory were 775 which granted write access to group members. The connection was rejected because of this. Changing it to 755 did the trick. – egelev May 03 '16 at 16:06
Thanks, looking in `auth.log` on the remote machine solved my issues, which was `Bad options in /home/backup/.ssh/authorized_keys file ...` (I had no quotes (`"`) in `from="ip1,ip2"`). But actually `debug1: key_parse_private2: missing begin marker` is still shown in `ssh -v`, even when it works. – dentarg Jun 15 '16 at 19:23
1

@dentarg Thanks for sharing that useful observation: `debug1: key_parse_private2: missing begin marker` is still shown in `ssh -v` output, even when it works. Hmm... so maybe this message was a "red herring" in my case. I suppose the answer is still useful, and I'd like to edit it to better reflect the essence of your observation in this regard. What's the *true* root-cause for this message, I wonder. – Ben Johnson Jul 10 '16 at 20:10
As a note for others, debugging a similar issue with a Vagrant CentOS 7 box, I found the auth.log wasn't present, instead it was at /var/log/secure. – karlos Oct 09 '17 at 19:14

score 5 · Answer 3 · answered Nov 18 '14 at 09:36

5

I had a similar issue, "key_parse_private2: missing begin marker" while using username 'ec2-user' but it got fixed when I changed to ubuntu as the user.

answered Nov 18 '14 at 09:36

changeagent

61
1
3

Black Sheep · Accepted Answer · 2014-04-30T16:06:43.607

4

Try this steps:

ssh-keygen -R 54.72.242.0

sudo chmod 600 ec2-key-pair.pem

and then:

ssh -i ec2-key-pair.pem ec2-user@ec2-54-72-242-0.eu-west-1.compute.amazonaws.com

edited Apr 30 '14 at 16:06

answered Apr 30 '14 at 16:01

Black Sheep

6,016
7
28
47

1

See my updated comment above from the execution you suggested. Still the same :( – Rober Apr 30 '14 at 16:05
Ok.. don`t panic... Have you try to connect direct in the console from EC2? Go to your instance... you have to use firefox... click on `connect` and then choose `A Java SSH Client directly from my browser`.. try it there first... If you are connected...is a good sign... disconnect from there... then try first `ssh -i .....` on your terminal... if there not go then try the steps from my answer... Good luck! :) Ask me again if you have any question or problem! – Black Sheep Apr 30 '14 at 17:58
@Aldamur I really appreciate your comments. I have tried to connect, however, I got "Instance is not associated with a key pair" message. I have a keypair in key pairs section, but I dont know how to associate it with the instance. I have read a post that says a key pair cannot be asscioated to an existing instance, but, I have also tried to terminate and create a new instance and it is still not associated. Im using elastic beanstalk to create the instace. How can I do this? I think this is the problem. – Rober Apr 30 '14 at 22:32
In your question you said EC2 Instance? Is that what you want? So, you have to go EC2 and launch there the Instance... make a new Key pair (a precaution)... download your key pair... and launch... then try again my steps... then have to work for sure! – Black Sheep May 01 '14 at 00:53
sorry, Im just learning, what I mean to say is that I want to connect to an instance with ssh. But Im not creating the instance manually, but using elastic Beanstalk, I thought Elastic Beanstalk creates an EC2 instance for you. The problem is that instance has not associated the key pair (that already exist). Is it possible to do it like Im trying to do, or should I create an EC2 instance manually (without EB)? – Rober May 01 '14 at 08:05
Don't worry...I never use before `EBS` :) So, you try this way -> [SSH to EBS](http://stackoverflow.com/questions/4742478/ssh-to-elastic-beanstalk-instance) ? You have to know about EBS: `Developers are forced to live with all the decisions pre-determined by the vendor - with little to no opportunity to take back control over various parts of their application's infrastructure.` -- What do you want to achieve? – Black Sheep May 01 '14 at 12:12
Mmmm dont like how it sounds. I wanted to use eb because it was really easy to deploy using git and aws.push. I hope you can do something like this without EB. I will try to do it creating the EC2 instance manually. Thank you so much for your help. Probably you will know about me later :) – Rober May 01 '14 at 17:42
Hi @aldanux, finally I succeeded with the ssh connection (following your instructions). However the purpose of that was to have access to check the logs, because Iḿ trying to deploy my first sample app with no luck so far. Could you please have a look at my new post: http://stackoverflow.com/questions/23425009/aws-elastic-beanstalk-rails-were-sorry-but-something-went-wrong-in-ubuntu . Thank you so much. I have seen in your profile you are in Spain, I would like to contact with you if it is ok for you. – Rober May 02 '14 at 09:43

score 1 · Answer 5 · answered Jun 02 '15 at 10:02

1

Another thing to check is PermitRootLogin and AllowUsers in /etc/ssh/sshd_config.

This debug1: key_parse_private2: missing begin marker appears even after successful key authorization if your user access restricted.

answered Jun 02 '15 at 10:02

FelikZ

2,672
3
29
40

Bartosz Dabrowski · Answer 6 · 2015-02-09T13:31:05.177

0

Yes, indeed quite misleading message. In my case I used wrong key for instance.

We had need to removed key pair and created new one, except that our instance kept using old one(because you can't do it that easy).

The error message was the same so it's worth to check key name in your aws panel of instance match the key pair that you use in key paris.

edited Feb 09 '15 at 13:31

answered Feb 09 '15 at 10:59

Bartosz Dabrowski

1,822
2
14
21

score 0 · Answer 7 · answered Aug 13 '16 at 14:18

Logging in as "admin" worked for me. Based on your instance type the login user changes. ec2-user or ubuntu or in my case admin. ssh -v -i ./my_key_file.pem admin@ec2-11-222-333-44.compute-1.amazonaws.com

Also ensure the permission for the pem file is 600 chmod 600 ./my_key_file.pem

score 0 · Answer 8 · answered Dec 13 '16 at 21:14

0

One easy way to get this error is a corrupt .pem file.

For example, if the last line is missing, you get "missing begin marker".

Make sure the .pem ends with:

-----END RSA PRIVATE KEY-----

answered Dec 13 '16 at 21:14

TimT

1

score -3 · Answer 9 · edited Nov 22 '18 at 13:42

Many problems may cause the connectivity issue: Please review the following settings:

AWS security group settings and check the ssh port 22 policy
Check the firewall setting you are using in your lan connection
Generate the ssh-keygen on your local machine and add to aws linux server for future safety.
Regenerate the new ssh key in the panel.
Check your ipblacklist on mxtoolbox if you are using firewall on the aws linux server.

Please try above all if possible to overcome the error. Let me know if its working or not.

AWS SSH connection error: Permission denied (publickey)

9 Answers9

Linked