I created several EC2 instances running Amazon Linux 2 a few weeks ago, all with SSH access. A few days ago, one instance stopped allowing SSH access with the message ec2-user@10.0.145.93: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
- an error message I'd expect to see if my SSH keys were invalid.
The instance is still running, and the cron jobs I configured on it are still running as normal. I don't have serial console to the instance but I was able to create an AMI and then a VMDK from the instance in its current state and mount the filesystem to attempt to figure out what's wrong. As far as I can tell all the SSH configuration is still as I configured it: all the correct keys are still present in ~/.ssh/authorized_keys
and the contents of /etc/ssh/
are identical to a clean AL2 install.
The security groups haven't changed (they still allow SSH access) and the SSHD config is the same, so what is going on?
I can't check the permissions as they are on the instance, the act of mounting the filesystem changes all the permissions and ownerships. I'm not sure what would have caused the permissions/ownerships to have changed anyway on the instance?
You will need to review to the OS level logs for that information.
You're right, sshd is reporting 'bad ownership or modes for directory /home/ec2-user', and the permissions for /home/ec2-user have changed from 700 to 775. Any ideas what might have caused the mode/ownership to change?
Found it. One of our build scripts creates a file using
umask 022
. I didn't realise it defaulted to use~
if the actual build location was missing - hence the permissions of~
and all its parent directories changed! Lesson learnt...