When attempting to SSH into an Amazon EC2 instance from a new Ubuntu machine while existing connections work fine, the Permission denied (publickey) error typically indicates one of these scenarios:
- Key pair mismatch between client and EC2 instance
- Incorrect file permissions on the local private key
- SSH agent configuration issues
- EC2 security group restrictions
- Instance user account configuration problems
Before diving deep, let's verify some basic configurations:
# Check SSH command syntax (replace values accordingly)
ssh -i ~/.ssh/your-key.pem ec2-user@ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com
# Verify key file permissions
ls -la ~/.ssh/your-key.pem
# Should show -rw------- (600) permissionsIf you're certain the key pair is correct but still getting denied:
# Regenerate public key from private key if needed
ssh-keygen -y -f ~/.ssh/your-key.pem > ~/.ssh/your-key.pub
# Then update authorized_keys on EC2 instance
# (From a working connection):
echo "$(cat ~/.ssh/your-key.pub)" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keysCreate or modify your SSH config file for easier connections:
# ~/.ssh/config contents
Host my-ec2-instance
HostName ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com
User ec2-user
IdentityFile ~/.ssh/your-key.pem
IdentitiesOnly yesVerify your EC2 security group allows SSH (port 22) from your current public IP:
# Get your current public IP
curl ifconfig.me
# AWS CLI command to update security group
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxxxxx \
--protocol tcp \
--port 22 \
--cidr $(curl -s ifconfig.me)/32Add verbose flags to identify where the handshake fails:
ssh -vvv -i ~/.ssh/your-key.pem ec2-user@your-instanceLook for these critical messages in the output:
- "Offering public key" - Shows if your key is being presented
- "Server accepts key" - Indicates key authentication progress
- "Authentication succeeded" - Confirms successful login
If all else fails, consider these approaches:
# Use AWS Session Manager (requires SSM agent on instance)
aws ssm start-session --target i-xxxxxxxxxxxxx
# EC2 Instance Connect (for supported regions)
aws ec2-instance-connect send-ssh-public-key \
--instance-id i-xxxxxxxxxxxxx \
--availability-zone us-east-1a \
--instance-os-user ec2-user \
--ssh-public-key file://~/.ssh/your-key.pubReview these often-overlooked configuration points:
- EC2 instance IAM role permissions for SSH
- Local SSH client version compatibility issues
- Multiple key pairs attached to the instance
- Instance metadata service (IMDS) configuration
The "Permission denied (publickey)" error typically occurs when your SSH client fails to authenticate with the EC2 instance. This can happen even if you're using the correct key pair, due to various configuration issues.
1. Incorrect Key File Permissions
On Linux systems, SSH is very strict about file permissions. Your private key file should have 600 permissions:
chmod 600 ~/.ssh/your-key.pem2. Wrong Key Specified in SSH Command
Make sure you're explicitly specifying the correct key file:
ssh -i ~/.ssh/your-key.pem ec2-user@your-ec2-public-dns3. EC2 Instance Security Group Configuration
Check your EC2 security group to ensure:
- Inbound SSH (port 22) is allowed from your current IP address
- No IP restrictions are blocking your connection
Checking SSH Debug Output
Add verbose flags to get more detailed error information:
ssh -vvv -i ~/.ssh/your-key.pem ec2-user@your-ec2-public-dnsEC2 Instance User Configuration
Different Linux distributions use different default users:
- Amazon Linux: ec2-user
- Ubuntu: ubuntu
- CentOS: centos
Here's a complete example of connecting to an Ubuntu EC2 instance:
# Set proper permissions
chmod 600 ~/.ssh/ubuntu-key.pem
# Connect with verbose output
ssh -vvv -i ~/.ssh/ubuntu-key.pem ubuntu@ec2-12-34-56-78.compute-1.amazonaws.comIf you're still having issues:
- Verify the key pair is associated with the EC2 instance
- Check the instance's system logs in the AWS console
- Try creating a new key pair and instance if necessary