Troubleshooting Permission Denied Errors When Trying to SSH Into an AWS EC2 Instance

If you’re new to AWS (or not), you might run into issues trying to SSH into EC2 instances. This article summarizes things you can try to fix the issue. If you get “Permission denied (publickey)” error or simply aren’t able to SSH to an instance, try the following:

  • Ensure the file permissions on the private key are proper. Run chmod 400 key.pem.
  • Use the right ssh command — ssh -i key.pem user@ec2-dns-or-ip. The EC2 DNS name looks like ec2-54-227-242-179.compute-1.amazonaws.com or use its public IP as 54.227.242.179. See below for the username to use here.
  • Are you using the wrong private key? Is this instance using this key pair?
  • Are you connecting to the right instance? You might be mixing up keys with instances if you have many instances.
  • Did you mess up /home/<username>/.ssh/authorized_keys inside the instance? This file holds the public key corresponding to the private key you’re using to SSH. If the public key is missing or corrupt or the file is missing or corrupt, you get permission denied.
  • Did you misspell the username? It’s easy to type ec2_user when you mean ec2-user!
  • If you’re not using the -i flag on the ssh command, ensure that it’s picking up the correct key. By default, it’ll use id_rsa from ~/.ssh.
  • Did you mess up permissions of /home/<username> in your instance? For example, did you change its ownership to some other user?
  • Allow inbound SSH traffic on port 22 in the instance’s security group & firewall, if any.
  • When the user’s home directory is group writable, the user cannot login. Some tool you’re using might be changing permissions without your knowledge (like rsync -a).
  • Did you change or move the user’s home directory?
  • Are you using Beanstalk? Try eb ssh.
  • If you’re launching a new instance from an AMI you created of another instance, then the new instance will only accept the same key that the old instance used. During the process of creating the new instance, you are asked to select or create a key (at the very last step). Regardless of the key you create or select, only the key you were using for the old instance will be accepted by the new instance.
  • Sometimes, you might get this friendly prompt — Please login as the user “ec2-user” rather than the user “root”.
  • Use the correct username for your AMI. The AMI description usually has this info. It’s also in the AWS docs:

See Get information about your instance.

If all else fails, get more information about the error by adding the -v (verbose) switch to the ssh command.