- Newest
- Most votes
- Most comments
This "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)" error typically occurs when SSH authentication fails. Here are several troubleshooting steps to resolve this issue:
-
Key Permissions: While you've already set the permissions to 400, double-check that the parent directories don't have overly permissive settings. SSH can be sensitive to directory permissions as well.
-
Correct Username: Verify you're using the correct username for your AMI. For Amazon Linux, it's typically "ec2-user", but other distributions use different usernames (Ubuntu uses "ubuntu", for example).
-
Add the IdentitiesOnly Option: Try adding the
-o "IdentitiesOnly=yes"option to your SSH command to ensure only the specified key is used:
ssh -o "IdentitiesOnly=yes" -i mykeypair.pem ec2-user@YOUR-PUBLIC-IP
-
Check Instance State: Ensure your instance is fully initialized and running. Sometimes connection issues occur if you try to connect too soon after launching.
-
Security Group Configuration: Confirm your security group is correctly configured to allow SSH traffic on port 22 from your IP address.
-
Try EC2 Instance Connect: As an alternative, you can try connecting through the AWS Console using EC2 Instance Connect, which doesn't require managing SSH keys locally.
-
Check SSH Client Debug Information: Run your SSH command with verbose logging to get more details:
ssh -v -i mykeypair.pem ec2-user@YOUR-PUBLIC-IP
-
AMI Compatibility: Some minimal AMIs might not have the necessary components for EC2 Instance Connect. If you're using a minimal AMI, try switching to a standard Amazon Linux AMI.
-
Delete Known Hosts File: If you've connected to other instances with the same IP previously, try removing the known_hosts file:
cd ~/.ssh && rm -Rf known_hosts
If these steps don't resolve the issue, you might want to try connecting using AWS Systems Manager Session Manager as an alternative method that doesn't rely on SSH.
Sources
Unable to SSH to EC2 instance after successfully running Instance Connect send-ssh-public-key command | AWS re:Post
EC2: Cannot connect anymore via Instance Connect or SSH command line | AWS re:Post
Suddenly stopped connecting to EC2 with OpeSSH (through Mac) | AWS re:Post
------ VERBOSE LOG OpenSSH_6.9p1, LibreSSL 2.1.8 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Connecting to MY.PUBLIC.IP [MY.PUBLIC.IP] port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file ec2key.pem type -1 debug1: key_load_public: No such file or directory debug1: identity file ec2key.pem-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.9 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7 debug1: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000 debug1: Authenticating to MY.PUBLIC.IP:22 as 'ec2-user' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client (...)@openssh.com <implicit> none debug1: kex: client->server (...)@openssh.com <implicit> none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:vjALf/am2Wu5+rrSmMMFBzEXzfEg4Px5jnpDkX9ztwI debug1: Host 'MY.PUBLIC.IP' is known and matches the ECDSA host key. debug1: Found key in known_hosts:9 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Next authentication method: publickey debug1: Trying private key: ec2key.pem debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Relevant content
- asked a year ago
