EC2 instance has started refusing SSH access

0

I created several EC2 instances running Amazon Linux 2 a few weeks ago, all with SSH access. A few days ago, one instance stopped allowing SSH access with the message ec2-user@10.0.145.93: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). - an error message I'd expect to see if my SSH keys were invalid.

The instance is still running, and the cron jobs I configured on it are still running as normal. I don't have serial console to the instance but I was able to create an AMI and then a VMDK from the instance in its current state and mount the filesystem to attempt to figure out what's wrong. As far as I can tell all the SSH configuration is still as I configured it: all the correct keys are still present in ~/.ssh/authorized_keys and the contents of /etc/ssh/ are identical to a clean AL2 install.

The security groups haven't changed (they still allow SSH access) and the SSHD config is the same, so what is going on?

feita há 2 anos467 visualizações
1 Resposta
2
Resposta aceita

Check the permissions on your home directory, the .ssh directory, and the authorized_keys file.

profile pictureAWS
ESPECIALISTA
respondido há 2 anos
profile picture
ESPECIALISTA
avaliado há 8 meses
  • I can't check the permissions as they are on the instance, the act of mounting the filesystem changes all the permissions and ownerships. I'm not sure what would have caused the permissions/ownerships to have changed anyway on the instance?

  • You will need to review to the OS level logs for that information.

  • You're right, sshd is reporting 'bad ownership or modes for directory /home/ec2-user', and the permissions for /home/ec2-user have changed from 700 to 775. Any ideas what might have caused the mode/ownership to change?

  • Found it. One of our build scripts creates a file using umask 022. I didn't realise it defaulted to use ~ if the actual build location was missing - hence the permissions of ~ and all its parent directories changed! Lesson learnt...

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas