Troubleshooting SSH Connection Issues to New EC2 Instance: Key Authentication Failures


2 views

When setting up a new EC2 instance, SSH connection failures are among the most common frustrations. Let's break down exactly what's happening in this scenario and how to fix it systematically.

The error typically manifests in one of these ways:

Permission denied (publickey)

Or more verbose variants like:

ubuntu@ec2-xx-xx-xx-xx.compute-1.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

First, let's verify the key setup:

# Check key permissions (MUST be 400)
ls -la ~/.ssh/mir.pem

# Correct permissions if needed
chmod 400 ~/.ssh/mir.pem

Then attempt connection with verbose output:

ssh -vvv -i ~/.ssh/mir.pem ubuntu@ec2-xx-xx-xx-xx.compute-1.amazonaws.com

From experience, these are the most likely culprits:

  • Incorrect username (varies by AMI: ubuntu/ec2-user/centos)
  • Key pair not properly associated during instance launch
  • Security group blocking SSH (port 22)
  • Incorrect file permissions on the .pem file
  • Missing public key in ~/.ssh/authorized_keys on the instance

When basic checks don't reveal the issue, try these approaches:

# Check instance connection through AWS Session Manager
aws ssm start-session --target i-1234567890abcdef0

# Verify security group settings
aws ec2 describe-security-groups --group-ids sg-1234567890abcdef0

# Check instance status and metadata
aws ec2 describe-instances --instance-ids i-1234567890abcdef0

Here's a full working example for Ubuntu AMIs:

# Set proper permissions
chmod 400 ~/.ssh/mir.pem

# Connect with explicit key specification
ssh -i ~/.ssh/mir.pem ubuntu@ec2-xx-xx-xx-xx.compute-1.amazonaws.com

# Alternative if default SSH config exists
cat >> ~/.ssh/config <

To avoid these issues with new instances:

  1. Always note the AMI's default username
  2. Verify key pair selection during launch
  3. Confirm security group allows your IP on port 22
  4. Store .pem files with correct permissions immediately

When attempting to SSH into a newly launched EC2 instance running Amazon Linux (64-bit AMI), you might encounter one of these common error patterns:

Permission denied (publickey)
Connection timed out
Host key verification failed

First, confirm the key pair was properly created and associated during instance launch:

aws ec2 describe-instances --instance-id i-1234567890abcdef0 \
--query 'Reservations[].Instances[].KeyName'

Second, verify the key file permissions (critical on Unix-like systems):

chmod 400 ~/.ssh/mir.pem
ls -la ~/.ssh/mir.pem  # Should show -r-------- permissions

EC2 security groups must allow inbound SSH (port 22) from your IP. Verify with:

aws ec2 describe-security-groups \
--group-ids sg-1234567890abcdef0 \
--query 'SecurityGroups[].IpPermissions'

Sample correct output should include:

"FromPort": 22,
"ToPort": 22,
"IpProtocol": "tcp",
"IpRanges": [{"CidrIp": "YOUR_IP/32"}]

The proper SSH command for EC2 instances requires specifying the identity file:

ssh -i ~/.ssh/mir.pem ec2-user@ec2-12-34-56-78.compute-1.amazonaws.com

Note that Amazon Linux uses ec2-user as default username, not ubuntu (which is for Ubuntu AMIs).

If connection times out, check:

  • Instance status (running in AWS console)
  • VPC route tables and network ACLs
  • Operating system firewall (might need instance console access)

Enable verbose SSH output for detailed diagnostics:

ssh -vvv -i ~/.ssh/mir.pem ec2-user@public-dns

For persistent issues, consider EC2 Instance Connect as alternative access method:

aws ec2-instance-connect send-ssh-public-key \
--instance-id i-1234567890abcdef0 \
--availability-zone us-east-1a \
--instance-os-user ec2-user \
--ssh-public-key file://~/.ssh/mir.pub