Technical Analysis: Resolving 'Permission denied (publickey)' Error in AWS EC2 SSH Connections

Keywords: AWS EC2 | SSH Connection | Public Key Authentication | File Permissions | Troubleshooting

Abstract: This paper provides an in-depth analysis of the common 'Permission denied (publickey)' error in AWS EC2 instance SSH connections, offering systematic solutions from multiple dimensions including key file permissions, user authentication, and SSH configuration. Through detailed error diagnosis steps and code examples, it helps developers quickly identify and resolve SSH connection issues, ensuring secure and reliable remote access.

Problem Background and Error Analysis

In the process of establishing SSH connections to AWS EC2 instances, 'Permission denied (publickey)' is a common authentication failure error. From the provided debug information, we can see that the SSH client successfully establishes the connection but fails during the public key authentication phase. The error log shows: 'Authentications that can continue: publickey', indicating that the server only accepts public key authentication, but the client-provided key is not accepted.

Core Solution: File Permission Repair

The SSH protocol has strict security requirements for key file permissions. Private key files must be set to read-only by the owner, otherwise the SSH client will refuse to use the key. This is the most common root cause of the problem.

# Fix private key file permissions
chmod 600 ec2-keypair.pem

# Retry SSH connection
ssh -v -i ec2-keypair.pem ubuntu@ec2-174-129-185-190.compute-1.amazonaws.com

Explanation of permission settings:

600 permission means the file owner has read and write permissions, while other users have no permissions
If permissions are too permissive (such as 644), SSH will refuse to use the key for security reasons
This security mechanism prevents unauthorized users from accessing private key files

In-depth Analysis of User Authentication

AWS EC2 instances have different default user accounts depending on the AMI (Amazon Machine Image) used:

# Ubuntu AMI uses ubuntu user
ssh -i ec2-keypair.pem ubuntu@ec2-instance-address

# Amazon Linux AMI uses ec2-user
ssh -i ec2-keypair.pem ec2-user@ec2-instance-address

# CentOS AMI uses centos user
ssh -i ec2-keypair.pem centos@ec2-instance-address

Choosing the correct user account is crucial because AWS injects the public key into the corresponding user's authorized_keys file during instance launch.

SSH Server-Side Permission Configuration

As indicated in the reference article, the SSH server (sshd) has strict requirements for the permissions of the authorized_keys file and related directories:

# Check .ssh directory permissions
ls -la /home/ubuntu/.ssh/

# Correct permission settings should be:
# drwx------ 2 ubuntu ubuntu 4096 Jan 22 03:28 /home/ubuntu/.ssh
# -rw------- 1 ubuntu ubuntu  400 Jan 22 03:28 authorized_keys

If directory or file permissions are incorrect, repairs are needed:

# Fix directory ownership and permissions
sudo chown -R ubuntu:ubuntu /home/ubuntu/.ssh
sudo chmod 700 /home/ubuntu/.ssh
sudo chmod 600 /home/ubuntu/.ssh/authorized_keys

Advanced Diagnostic Techniques

When basic solutions are ineffective, enabling detailed logging on the SSH server is necessary for problem diagnosis:

# Edit SSH server configuration
sudo vi /etc/ssh/sshd_config

# Add or modify log level
LogLevel DEBUG

# Reload SSH configuration
sudo service ssh reload

# Check authentication logs (Ubuntu/Debian)
sudo tail -f /var/log/auth.log

# Check authentication logs (CentOS/RHEL)
sudo tail -f /var/log/secure

Debug logs will show detailed authentication processes, including critical information such as file permission checks and key verification.

Key Management Best Practices

Proper key management processes can prevent such issues:

# 1. Generate key pair (if not already created)
ssh-keygen -t rsa -b 4096 -f my-ec2-key

# 2. Import to AWS EC2
aws ec2 import-key-pair --key-name "my-keypair" --public-key-material fileb://my-ec2-key.pub

# 3. Set correct file permissions
chmod 600 my-ec2-key

# 4. Specify key pair when launching instance
aws ec2 run-instances --image-id ami-xxxxxxxxx --instance-type t2.micro --key-name my-keypair

Security Considerations and Preventive Measures

SSH connection security relies on proper permission configuration:

Regularly check key file permissions
Use strong passwords to protect keys (if using passphrases)
Avoid sharing the same key across multiple instances
Regularly rotate key pairs
Be aware of security risks when using SSH agent forwarding

By systematically applying these solutions, developers can effectively resolve SSH connection issues with AWS EC2 instances, ensuring secure and reliable remote access.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.