我创建了一个新的临时 ec2 实例(使用我原始 ec2 实例的快照),并生成了一个mykeypair.pem文件用作密钥对,我希望它能让我连接到我的虚拟机以便进行一些文件更改。 (我在一台新笔记本电脑上生成了 ssh 密钥,因此需要连接到我的 ec2 实例以添加更新的公钥,以便authorized_keys我可以访问我原始的 ec2 实例。我无法访问我的旧 ssh 私钥)
随着mykeypair.pem移动到~/.ssh/mykeypair.pem,我跑了
$ ssh -v -i "mykeypair.pem" ubuntu@ec2-<ip-addr>.us-west-2.compute.amazonaws.com
在/Users/me/.ssh。结果是……
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/me/.ssh/config
debug1: /Users/me/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to ec2-<ip-addr>.us-west-2.compute.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file mykeypair.pem type -1
debug1: identity file mykeypair.pem-cert type -1
debug1: identity file /Users/me/.ssh/mykeypair.pem type -1
debug1: identity file /Users/me/.ssh/mykeypair.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000002
debug1: Authenticating to ec2-<ip-addr>.us-west-2.compute.amazonaws.com:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<redacted>
debug1: Host 'ec2-<ip-addr>.us-west-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/me/.ssh/known_hosts:6
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:<redacted>
debug1: Authentications that can continue: publickey
debug1: Offering public key: RSA SHA256:<redacted>
debug1: Authentications that can continue: publickey
debug1: Offering public key: ED25519 SHA256:<redacted>
debug1: Authentications that can continue: publickey
debug1: Offering public key: RSA SHA256:<redacted>
debug1: Authentications that can continue: publickey
debug1: Trying private key: mykeypair.pem
debug1: identity added to agent: mykeypair.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/me/.ssh/mykeypair.pem
debug1: identity added to agent: /Users/me/.ssh/mykeypair.pem
Received disconnect from <ip addr> port 22:2: Too many authentication failures for ubuntu
Disconnected from <ip addr> port 22
这些是我的~/.ssh/config文件内容:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/mykeypair.pem
仅使用生成的密钥对运行(我假设下面的命令正在执行此操作)
ssh -v -o 'IdentitiesOnly yes' -i "mykeypair.pem" ubuntu@ec2-<ip-addr>.us-west-2.compute.amazonaws.com
结果是
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/me/.ssh/config
debug1: /Users/me/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to ec2-<ip-addr>.us-west-2.compute.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file mykeypair.pem type -1
debug1: identity file mykeypair.pem-cert type -1
debug1: identity file /Users/me/.ssh/mykeypair.pem type -1
debug1: identity file /Users/me/.ssh/mykeypair.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000002
debug1: Authenticating to ec2-<ip-addr>.us-west-2.compute.amazonaws.com:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:<redacted>
debug1: Host 'ec2-<ip-addr>.us-west-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/me/.ssh/known_hosts:6
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: mykeypair.pem
debug1: identity added to agent: mykeypair.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/me/.ssh/mykeypair.pem
debug1: identity added to agent: /Users/me/.ssh/mykeypair.pem
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
ubuntu@ec2-<ip-addr>.us-west-2.compute.amazonaws.com: Permission denied (publickey).
当我启动 ec2 实例时,我在最后一步使用这个新生成的密钥对创建了实例(见屏幕截图)。
为什么它不起作用/我需要做什么才能修复它?
编辑:将用户名更改为ec2-user@ec2-...或bitmani@ec2-...不起作用
答案1
您所描述的应该有效。我唯一能想到的是您使用了错误的 pem 文件、IP 地址或其他东西。
我建议这样做:
- 在您的计算机上生成一个新的密钥对。
- 使用该密钥对启动一个新实例。
- 确保您可以登录
- 如果不能,请使用基于带外浏览器的连接来连接到实例。
- 将您的新密钥放入“authorized_keys”中
- 删除旧密钥
- 对新实例进行快照。
具体步骤
生成密钥对
ssh-keygen -t ed25519
它会询问您要用什么名称保存它。请确保您没有覆盖其他内容。它会生成一个 .pub。
旁白:什么是-t ed25519?有不同的公钥加密方案。RSA 是一种,椭圆曲线是另一种。这种特定的密钥类型更快、更小、加密更安全——几乎在各个方面都比 RSA 更好。唯一的问题是有些东西不支持它。不过 AWS 支持它,所以你没问题。
将公钥导入 AWS
在 EC2 页面的左侧,您将看到“网络和安全”下的“密钥对”页面。单击此处。
现在转到“操作”->“导入密钥”
给它起一个好名字。导入.pub 文件。
使用您的密钥启动实例
当您完成启动实例的流程时,单击“启动”时,会弹出一个窗口,询问您想要在实例中使用哪些密钥。从下拉列表中选择您的新密钥。
哦不!它仍然不起作用!
好的,下一步是通过另一种方式建立连接并手动将 ssh 密钥输入其中。
如何通过浏览器连接
- 在“实例”选项卡中,选择您的实例,然后转到“操作”->“连接”
- 在下一页中,不要更改任何内容,只需点击“连接”。现在您应该在终端上。
如何将 ssh 密钥添加到 authorized_keys 文件。
- 我假设你知道如何使用 vim 或 nano 或
echo "stuf" >> file。 - 将 .pub 的内容附加到 ~/.ssh/authorized_keys 的新行上。保存
- 利润
答案2
我能够通过不启动带有原始 ebs 卷快照的临时 ec2 实例(我在 Web ec2 创建 UI 中已完成)来解决此问题。相反,我使用默认卷创建了临时 ec2 实例,然后在启动实例后附加了我的卷的快照。此后,我能够使用启动实例时 aws 创建的密钥对进行 ssh。