【发布时间】:2015-08-04 00:37:07
【问题描述】:
问题:我无法 SSH 进入我的亚马逊网络服务 (AWS) 实例。
有很多关于此的主题,但这些问题已通过更改登录用户名解决。我的问题似乎没有被其他用户名解决。以前通过更改登录用户名回答的问题可以在以下位置找到:
- AWS ssh access 'Permission denied (publickey)' issue
- Permission denied (publickey) when SSH Access to Amazon EC2 instance
这是 SSH 尝试的详细输出:
/development/aws$ > ssh -vvv -i "/development/aws/cgwebsites-wp.pem" ec2-user@52.24.142.84
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 52.24.142.84 [52.24.142.84] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/development/aws/cgwebsites-wp.pem" as a RSA1 public key
debug1: identity file /development/aws/cgwebsites-wp.pem type -1
debug1: identity file /development/aws/cgwebsites-wp.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "52.24.142.84" from file "/Users/cgood92/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 114/256
debug2: bits set: 518/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA b5:4d:14:77:0a:8b:54:2c:5e:38:8d:8d:7b:91:da:2f
debug3: load_hostkeys: loading entries for host "52.24.142.84" from file "/Users/cgood92/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
The authenticity of host '52.24.142.84 (52.24.142.84)' can't be established.
RSA key fingerprint is b5:4d:14:77:0a:8b:54:2c:5e:38:8d:8d:7b:91:da:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '52.24.142.84' (RSA) to the list of known hosts.
debug2: bits set: 534/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /development/aws/cgwebsites-wp.pem (0x0), explicit
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /development/aws/cgwebsites-wp.pem
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey: RSA 0b:e9:55:d9:db:d5:a6:d7:c5:6e:2d:0c:fc:0c:1f:2b
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
所以我的问题是Permission denied (publickey). 问题。
这是我为调试它所做的。
1) 我已验证我使用的是正确的elastic ip address。我也尝试过使用更长的Public DNS 地址,结果完全相同。所以我确信我有正确的主机。
2) 我已确定安全组规则允许 SSH。首先,它已经设置为允许端口 22 上的 TCP 传入流量。为了安全起见,我添加了一条规则,允许所有端口的所有 TCP 传入流量,所有 IP 地址。传出流量有一个规则,允许所有内容到任何地方。
3) 我已确认我使用了正确的密钥对名称。它位于“EC2”>“实例”>“密钥对名称”下。它说“cgwebsites-wp”,我在本地 /development/aws/cgwebsites-wp.pem 有正确的密钥对名称,如上面我的详细输出中所示。我还验证了该文件的路径是正确的,因为当我输入 /development/aws/cgwebsites-wp222.pem 之类的虚假内容时,错误会明确告诉我他们找不到该文件。
4) 我尝试了几个不同的用户名,正如其他链接上针对此问题的所有帖子所建议的那样。具体来说,我试过admin、ubuntu、root、ec2-user、fedora。我什至尝试了在“EC2”>“实例”>“AMI ID”中找到的 ID。没有工作,都产生类似的消息。
5) 我在 Windows 计算机(必须使用 puttyGen 创建私钥数据包)和 mac 计算机上尝试过这个。两者的错误相同。
6) 我已经在我的另一个 AWS 实例上尝试过,一切正常。所以我的亚马逊账户很好。
7) 我尝试过删除所有 SSH 缓存文件(在 Windows 中清除了一些注册表部分,在 Mac 上我运行了 ssh-keygen -R 52.24.142.84。
8) 我已检查以确保 实例已启动并正在运行,并且它有一个绿灯,而且我可以通过 elasticbeanstalk url 访问该站点。
9) 我尝试通过chmod 600 /development/aws/cgwebsites-wp.pem 和chmod 400 /development/aws/cgwebsites-wp.pem 两个命令更改.pem 文件的权限。
10) 这不是防火墙问题或类似问题,因为我可以通过 SSH 连接到我的其他 AWS 实例。
11) 当然,我已经终止并重新启动了几个 linux 实例,都出现了同样的错误。
12) 我知道这不是损坏的 .pem 文件的问题,因为我正在使用完全相同的文件通过 SSH 连接到我的其他 AWS 实例。
这是一个非常令人沮丧的问题。似乎很多人都遇到过和我类似的问题,但几乎每个人都通过更改用户名解决了这个问题。我已经尝试过了,包括https://alestic.com/2014/01/ec2-ssh-username/ 的建议和脚本。但什么都没有。
任何帮助将不胜感激!
【问题讨论】:
-
EC2 主机的 ~/.ssh 文件夹(应为 700)或 ~/.ssh/authorized_keys(应为 600)或主文件夹 ~(应该有 o-w)的权限有问题?
-
没有提到你在服务器上有你的公钥,这很重要。如果没有一些 (Allow|Deny)(User|Group),我也会仔细检查 sshd_config
-
@Jakuje 如何更改 EC2 主机上的某些内容?如果我无法通过 SSH 登录,那么显然我无法配置 EC2 远程实例。
-
您可以从 EC2 管理页面查看(但不能与之交互)EC2 实例的控制台输出 - 右键单击实例,选择操作,然后选择实例设置,然后选择获取系统日志。您的另一个选择是尝试将无法访问的实例的根卷挂载到另一个(可访问的)EC2 实例,然后进行诊断。见aws.amazon.com/articles/5213606968661598。
-
如果机器中存在一些重要数据,您可以通过将 ebs 附加到另一个实例来恢复它。您也可以通过这种方式修复 ssh 问题
标签: linux amazon-web-services ssh amazon-ec2 key