0

I have a AWS micro instance and I had no problems logging into the instance using ec2-user until now. I changed some permissions for ec2-user (basically removed the www group it was added to and again added that group). Now I am locked out of the instance. The error I am getting is:

Disconnected: No supported authentication methods available (server sent:publickey)

I have checked the following and everything seems to be in place:

  1. My IP is updated in AWS security groups
  2. My key (.ppk) is the same that I have been using for months
  3. My security group has 80 and 442 enabled

Please help... this is really bothering me big time!

coderatlarge
  • 577
  • 3
  • 8
  • 23

3 Answers3

0

Not sure if you saw this post from 9 months but it looks like someone had a similar issue. If you're using IAM, make sure your inline policy has EC2 access allowed.

Community
  • 1
  • 1
0

You are getting an error from the SSH service so you can be sure that this is not a firewall issue.

Its hard to know exactly what you did, but you may have inadvertently broken access to the file that stores the allowed public keys ~/.ssh/authorized_keys. This file only works with very limited permissions.

There is a way to recover from this, but it does involve several steps.

  1. Start a new instance, can be micro, its only going to stay on for a bit.
  2. Stop your current instance, detach the root volume and attach it to the new instance.
  3. Mount the volume, fix permissions on the authorized_keys file.
  4. Unmount, and detach the volume, reattach to original instance.

If everything is set up correctly, your key should work again on your existing instance.

datasage
  • 19,153
  • 2
  • 48
  • 54
  • thanks for your comments. ultimately i had to start a brand new instance and copy things over to that. the old one got too messed up i guess – coderatlarge Apr 15 '15 at 10:28
0

If the ec2-user somehow gets corrupted, you can add an additional user. This approach does not require mounting the volume, but instead relies on modifying the User Data in the EC2 console.

See https://aws.amazon.com/premiumsupport/knowledge-center/execute-user-data-ec2/

For example, you can create a new key:

ssh-keygen -t rsa -C private.key -f private.key -q -N ""

Then use the following User Data:

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
USER=additional-user  # 1
adduser $USER 
echo "$USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/cloud-init 
mkdir /home/$USER/.ssh 
echo "ssh-rsa AAAAB3NzaC1yc2EAAA....A38MHe0KAzY9Ob private.key" >> /home/$USER/.ssh/authorized_keys  # 2
--//
  1. Replace additional-user with a username of your choice
  2. Replace whatever is inside the double quotes with the private.key.pub contents that you just generated.

You should then be able to ssh into the instance:

chmod 600 private.key
ssh -i private.key additional-user@<ec2 public ip>

Remember to clean up your User Data so that it doesn't keep running on subsequent launches. Also deprovision the additional user (or at least remove its sudo access), once ec2-user is working again.

For more detailed instructions, see: https://bitbucket.org/thorntechnologies/sftpgateway-public/wiki/Locked%20out%20of%20EC2%20instance

Robert Chen
  • 5,179
  • 3
  • 34
  • 21