EC2 Instance Connect to new Debian 12 instance -- Unable to SSH

0

I'm testing my software on various Linux distros. I recently finished Ubuntu, RHEL, and AWS Linux quickstart AMI's and everything went great.

As part of the testing I wanted to try a vanilla Debian 12 instance and explore.

I created a EC2 Debian instance with a new KeyPair and new Security Group via the Launch Instance facility with all default settings.

I used this quickstart debian AMI: ami-0aafdae616ee7c9b7 (64-bit (x86))

Once the Instance was up and the Status Checks had started and passed I attempt to SSH to the instance using EC2 Instance Connect and I receive this error:

Failed to connect to your instance Error establishing SSH connection to your instance. Try again later.

Instance Connect is using the admin user of course, by default. The auto-created 'launch-wizard' security group looks fine... port 22 is open.

I've tried this a number of times and doing the most generic use-case possible all via the AWS UI.

Any idea why I would not be able to SSH successfully.

Gary
asked 4 months ago800 views
5 Answers
1
Accepted Answer

Hi Gary,

Just made it and working fine. So maybe you should redeploy it or review VPC settings (SG, IGW, Route Table, KEYS and etc).

EC2 Serial Console you have right, it's not available for that AMI there.

21:21:24-drixter@devil:~$ ssh -C -l admin 54.153.xx.xx
The authenticity of host '54.153.xx.xx (54.153.xx.xx)' can't be established.
ED25519 key fingerprint is SHA256:hOyemVtyfpoY6RawlL75Em6sUQPw6rzW0QvLdF296jw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '54.153.xx.xx' (ED25519) to the list of known hosts.
Linux ip-172-31-15-181 6.1.0-13-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55                                                                                                                                                             -1 (2023-09-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
admin@ip-172-31-15-181:~$ uname -a
Linux ip-172-31-15-181 6.1.0-13-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
admin@ip-172-31-15-181:~$ cat /etc/debian_version
12.2
admin@ip-172-31-15-181:~$ sudo su -
root@ip-172-31-15-181:~#

Thanks,

profile picture
answered 4 months ago
profile pictureAWS
EXPERT
reviewed 4 months ago
  • Will do! And will come back and update here if I find root cause. Thx for that sanity check there.

  • Marcin, btw, I thought I'd let you know that, the root cause for both debian and rhel not allowing Instance Connect (or ssh from my work machine) to my EC2 instances was, for some reason, .ssh/authorized_keys did not get the public ssh key for the KeyPair that I selected when instantiating the instance. On a hunch, I created a cloud-init script and for both operating systems and in that script added the appropropriate "ssh-rsa ..." to authorized_keys and it worked just fine.

    For my other EC2 instances using Ubuntu or Aws Linux, those keys are already present for the "ec2-user" and "debian" users (respectively) in the authorized_keys file under .ssh and don't require this workaround.

    Very odd indeed, haha.

    Not sure why this happens, but I'm now building this functionality into my instance provisioning (which is all done in Java via AWS API) via cloud-init scripts.

1

There are a few things to check that could be causing the issue connecting to your new Debian EC2 instance via SSH:

  1. Confirm the instance security group allows incoming SSH on port 22 from your IP address. The default security group often only allows SSH from other instances in the same security group. You may need to add a rule to allow your public IP.

  2. Check that SSH is actually running on the instance. Connect using AWS Systems Manager Session Manager and verify the SSH service is active by running:

sudo systemctl status ssh
  1. Confirm there is no firewall on the instance blocking SSH connections. Debian does not enable firewall by default, but you can check with:
sudo ufw status
  1. Verify the SSH daemon configuration allows SSH over port 22. The /etc/ssh/sshd_config should have:
Port 22
#Port 22
  1. Check that the root volume has permissions to allow the ec2-user SSH access. Run ls -ld / and confirm the permissions allow access.

  2. As a last resort, try rebooting the Debian instance to restart all services.

If it still doesn't work after verifying those items, there may be an issue with the Debian AMI that needs further debugging. The AWS Linux, Ubuntu, RHEL images are better tested for EC2 compatibility.

AWS
Saad
answered 4 months ago
  • Great info, BTW.

    #1 checks out.

    Also I'm connecting (initially at least) from the AWS console. Not even attempting to connect any other way, initially.

    Here's the trick. I can't even get on the new Instance a minute after creating it to check most of these settings.

    Even the AWS console's EC2 Instance Connect cannot connect. So checking #2, #3 and #4 are not checkable as I can't even get onto the instance from AWS EC2 console.

1

Hi Gary,

Did you follow about below? It's require public IP and so on. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectionTimeout

As last option, login over EC2 Serial Console?

Thanks,

profile picture
answered 4 months ago
  • Thx for that suggestion :) Yes, It's got a public IP that the EC2 Instance Connect is attempting to connect over that IP. Serial Console is definitely a good idea but apparently Debian quickstart image does not allow Console:

    This instance type is not supported for the EC2 serial console. To connect to the serial port of an instance using the EC2 serial console, the instance must use an instance type that is built on the AWS Nitro System. You can change the instance type to a supported virtualized instance type or bare metal instance type.

1

Hi Gary,

So maybe this AMI is broken, on which Region did you run it? Maybe I'll test by myself to look around.

About EC2 Serial Console, this works perfectly fine for me custom Debian image with HVM virtualization :-)

Thanks,

profile picture
answered 4 months ago
  • Thanks for your time Marcin. Appreciate it a lot. This is on us-west-1 and I'm using the generic quickstart Debian 12 ami in that region (ami-0aafdae616ee7c9b7).

    Like you say, I do wonder if it's broken. But it's been 24 hours and you'd think someone in the region would have reported to AWS, but maybe that's me, haha.

    Cheers! Gary

0

Hello. I'm in ap-east-1 and I face this issue two, only debian system can not connect through console, other system works fine

wxhoho
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions