Can anyone explain why I cannot connect to my ec2? I have tried to solve the problem by myself but without success.
Firstly, created the key :
aws ec2 create-key-pair --key-name mykeys --region eu-central-1 --output text > mykeys.pem
Then created ec2 instance:
aws ec2 run-instances --image-id ami-06ec8443c2a35b0ba --count 1 --instance-type t2.micro --key-name mykeys --security-group-ids sg-xxx --subnet-id subnet-xxx
Every now and then I get permission deny when trying to connect to the ec2;
The authenticity of host 'ec2-18-185-248-81.eu-central-1.compute.amazonaws.com (18.185.248.81)' can't be established.
ED25519 key fingerprint is SHA256:SbRamk5HTetJT6ysgqq3MLdsUU6Ehi/kYRWXtgwS3q4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ec2-18-185-248-82.eu-central-1.compute.amazonaws.com' (ED25519) to the list of known hosts.
Load key "mykeys.pem": invalid format
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
It isn't also possible to connect via EC2 Instant Connect from within AWS
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Is it possible that the key was created wrongly?
Load key "mykeys.pem": invalid format
CodePudding user response:
Try checking step by step to create pem.
In your cli, it seems --query
is missed. ref
Create pem:
aws ec2 create-key-pair \
--key-name mykeys \
--query "KeyMaterial" \
--output text > mykeys.pem
Permission change:
chmod 400 mykeys.pem
(Create EC2 wit pem.)
Connect ssh:
ssh -i mykeys.pem ec2-user@<YourServerIP>
CodePudding user response:
Does this help:
https://sjsadowski.com/invalid-format-ssh-key/
While literally true, it is a pretty poorly written error message. What it actually means is that the key is a deprecated format, and what it does not tell you is that in the future the format will become completely unsupported.
The solution here is to replace your rsa-sha1 keys with either ecdsa or ed25519 keys, distribute those keys, and then remove the old ones.
The problem on AWS is that when you generate a key pair, it is still rsa-sha1 format, and while you can upload rsa-sha2 keys, ecdsa or ed25519 keys are not acceptable. There are questions about this going back to 2017 on the AWS forums, asking about other key formats.