Getting the EC2 instance keypairs to work with the various types of SSH clients out there seems to be somewhat of an issue. I had trouble with it when I first started out, and I’ve had a few friends request help on that. I just got home, started fresh, and documented my steps with all three clients below (linux command line ssh, putty and SecureCRT). Hopefully, this will save a few of you trouble where I had some initially…

Before I get into specific instructions, I should note that there *are* certainly other ways to get the specifics of this to work. This is one method. You may find others, your mileage may vary, all rights wronged, all wrongs reversed, world peace in our lifetimes, etc etc ad nauseum.


  • Using the AWS web administration, select the EC2 tab. Select “Key Pairs” on the left menu
  • “Create Key Pair” on Top Bar
  • Name the pair, in my example, I named it “TestKeyPair”
  • This will download a PEM file. Save it somewhere you will remember.
  • Now on the “Instances” panel (from the left menu), select “Launch Instance” from the top bar
  • I selected the “Basic 64-bit Amazon Linux AMI 2011.09 (AMI Id: ami-1b814f72)” AMI
  • I chose a micro instance in my zone (us-east-1b)
  • Advanced Instance Options – stayed with all default values
  • Instance Details – named the server TestServer
  • Create Key Pair – I selected “Use Existing KeyPair” and selected the key pair created above
  • Configure Firewall – used the quick-start Security Group
  • Review – Launch.

Wait until the new instance is running… find the “Public DNS” field in its properties page, you will be using that to connect.
In my case, it was

Now, for each client, again, same caveat as above… there may, in fact, be other ways to get this working. I just tried to get to a working configuration as quickly as possible.

SecureCRT Instructions :
I’m using build 6.7.2 (x64 build 229). I believe these instructions will only apply to recent builds, since the ability to use
the PEM file directly was only added recently. Older versions will probably still work, but will likely require extra steps to
convert the PEM file to the native SecureCRT format (or another format that it can use)

  1. Create New Session
    • Connect : Name – I used “test server”
    • : Protocol : SSH2
    • : SSH2 : Hostname (use the DNS name above) :
    • : Port : 22 (default)
    • : Username : ec2-user
    • : Authentication : PublicKey
    • Select the method, click on Properties
    • Select “Use session public key setting”
    • Select “Use identity or certificate file”
    • Click on “…” to browse for the downloaded PEM file
    • Click “OK”
    • All other values should be at defaults
  2. Connect
    • You will be prompted to accept the key exchange details. I clicked “Accept & Save”.
    • I was, at that point, logged in to the ec2-user
    • “sudo -i” got me to the root account

PuTTY instructions : (version 0.6.1)

There are other ways to do this (for example, using Pageant), but this is just to get the connection. Presumably, if you can get this working, you can get the other methods as well…

  1. Run the “puttygen” key generation program
    • Conversions menu -> Import key
    • Browse to the saved PEM file
    • You should see all the key details on the screen, including fingerprint, comment, type of key and number of bits
    • Click on “Save private key”
    • Save the file with the PPK file type, I named mine TestKeyPair.ppk
  2. Create new session. I named it “testserver”
    • Host Name (or ip IP address) : use the DNS name above, including the username :
    • Port : 22
    • Connection : Logical Name : I used the DNS name :
    • : Data : Auto-login username : ec2-user
    • : SSH : Auth : Private key file for authentication ->
    • Browse to the file saved in Step 1 above
    • Save your session
  3. Open the connection
    • You will be prompted that the key pair is not yet saved in putty’s cache. Click “Yes” to save the key exchange and continue
    • At this point, I was connected to the server, logged in as “ec2-user”
    • “sudo -i” got me to root login

linux ssh instructions
Linux version (uname -a) :

Linux pebkac #1 SMP Sat Feb 27 17:55:36 MST 2010 i686 AMD Athlon(tm) 64 Processor 3800+ AuthenticAMD GNU/Linux)

OpenSSH and OpenSSL versions :

OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009

This is perhaps easiest. You can use the PEM file directly to connect without additional modification. I transfered the PEM file to my linux server (using SCP) and then executed instructions as you can see below:

jio::/home/jio>>> ssh -i TestKeyPair.pem
	The authenticity of host ' (' can't be established.
	RSA key fingerprint is c2:b2:5c:1e:12:4d:55:73:a2:f3:3d:c6:09:d3:9c:cc.
	Are you sure you want to continue connecting (yes/no)? yes
	Warning: Permanently added ',' (RSA) to the list of known hosts.
	Permissions 0644 for 'TestKeyPair.pem' are too open.
	It is recommended that your private key files are NOT accessible by others.
	This private key will be ignored.
	bad permissions: ignore key: TestKeyPair.pem
	Permission denied (publickey).
jio::/home/jio>>> chmod 400 TestKeyPair.pem 
jio::/home/jio>>> ssh -i TestKeyPair.pem
	Last login: Tue Nov 29 04:30:03 2011 from
			   __|  __|_  )
			   _|  (     /   Amazon Linux AMI

	See /usr/share/doc/system-release/ for latest release notes.
	There are 14 security update(s) out of 18 total update(s) available
	[ec2-user@ip-10-194-110-99 ~]$ sudo -i
	[root@ip-10-194-110-99 ~]# ls -al
		total 36
		dr-xr-x---  3 root root 4096 Nov 29 04:19 .
		dr-xr-xr-x 24 root root 4096 Nov 29 04:08 ..
		-rw-------  1 root root   24 Nov 29 04:31 .bash_history
		-rw-r--r--  1 root root   18 Jan 15  2011 .bash_logout
		-rw-r--r--  1 root root  176 Jan 15  2011 .bash_profile
		-rw-r--r--  1 root root  176 Jan 15  2011 .bashrc
		-rw-r--r--  1 root root  100 Jan 15  2011 .cshrc
		drwx------  2 root root 4096 Nov 29 04:08 .ssh
		-rw-r--r--  1 root root  129 Jan 15  2011 .tcshrc
	[root@ip-10-194-110-99 ~]# exit
	[ec2-user@ip-10-194-110-99 ~]$ exit
	Connection to closed.