AWS problem with authentication - connot connect to ec2-CodePudding

Can anyone explain why I cannot connect to my ec2? I have tried to solve the problem by myself but without success.

Firstly, created the key :

aws ec2 create-key-pair --key-name mykeys --region eu-central-1 --output text > mykeys.pem

Then created ec2 instance:

aws ec2 run-instances --image-id ami-06ec8443c2a35b0ba --count 1 --instance-type t2.micro --key-name mykeys --security-group-ids sg-xxx --subnet-id subnet-xxx

Every now and then I get permission deny when trying to connect to the ec2;

The authenticity of host 'ec2-18-185-248-81.eu-central-1.compute.amazonaws.com (18.185.248.81)' can't be established.
ED25519 key fingerprint is SHA256:SbRamk5HTetJT6ysgqq3MLdsUU6Ehi/kYRWXtgwS3q4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ec2-18-185-248-82.eu-central-1.compute.amazonaws.com' (ED25519) to the list of known hosts.
Load key "mykeys.pem": invalid format
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

It isn't also possible to connect via EC2 Instant Connect from within AWS

[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Is it possible that the key was created wrongly?

Load key "mykeys.pem": invalid format

CodePudding user response：

Try checking step by step to create pem.

In your cli, it seems --query is missed. ref

Create pem:

aws ec2 create-key-pair \
    --key-name mykeys \
    --query "KeyMaterial" \
    --output text > mykeys.pem

Permission change:

chmod 400 mykeys.pem

(Create EC2 wit pem.)

Connect ssh:

ssh -i mykeys.pem ec2-user@<YourServerIP>

CodePudding user response：

Does this help:

https://sjsadowski.com/invalid-format-ssh-key/

While literally true, it is a pretty poorly written error message. What it actually means is that the key is a deprecated format, and what it does not tell you is that in the future the format will become completely unsupported.

The solution here is to replace your rsa-sha1 keys with either ecdsa or ed25519 keys, distribute those keys, and then remove the old ones.

The problem on AWS is that when you generate a key pair, it is still rsa-sha1 format, and while you can upload rsa-sha2 keys, ecdsa or ed25519 keys are not acceptable. There are questions about this going back to 2017 on the AWS forums, asking about other key formats.