Getting the EC2 instance keypairs to work with the various types of SSH clients out there seems to be somewhat of an issue. I had trouble with it when I first started out, and I’ve had a few friends request help on that. I just got home, started fresh, and documented my steps with all three clients below (linux command line ssh, putty and SecureCRT). Hopefully, this will save a few of you trouble where I had some initially…
Before I get into specific instructions, I should note that there *are* certainly other ways to get the specifics of this to work. This is one method. You may find others, your mileage may vary, all rights wronged, all wrongs reversed, world peace in our lifetimes, etc etc ad nauseum.
On AWS:
- Using the AWS web administration, select the EC2 tab. Select “Key Pairs” on the left menu
- “Create Key Pair” on Top Bar
- Name the pair, in my example, I named it “TestKeyPair”
- This will download a PEM file. Save it somewhere you will remember.
- Now on the “Instances” panel (from the left menu), select “Launch Instance” from the top bar
- I selected the “Basic 64-bit Amazon Linux AMI 2011.09 (AMI Id: ami-1b814f72)” AMI
- I chose a micro instance in my zone (us-east-1b)
- Advanced Instance Options – stayed with all default values
- Instance Details – named the server TestServer
- Create Key Pair – I selected “Use Existing KeyPair” and selected the key pair created above
- Configure Firewall – used the quick-start Security Group
- Review – Launch.
Wait until the new instance is running… find the “Public DNS” field in its properties page, you will be using that to connect.
In my case, it was ec2-50-19-133-144.compute-1.amazonaws.com
Now, for each client, again, same caveat as above… there may, in fact, be other ways to get this working. I just tried to get to a working configuration as quickly as possible.
SecureCRT Instructions :
I’m using build 6.7.2 (x64 build 229). I believe these instructions will only apply to recent builds, since the ability to use
the PEM file directly was only added recently. Older versions will probably still work, but will likely require extra steps to
convert the PEM file to the native SecureCRT format (or another format that it can use)
- Create New Session
- Connect : Name – I used “test server”
- : Protocol : SSH2
- : SSH2 : Hostname (use the DNS name above) : ec2-50-19-133-144.compute-1.amazonaws.com
- : Port : 22 (default)
- : Username : ec2-user
- : Authentication : PublicKey
- Select the method, click on Properties
- Select “Use session public key setting”
- Select “Use identity or certificate file”
- Click on “…” to browse for the downloaded PEM file
- Click “OK”
- All other values should be at defaults
- Connect
- You will be prompted to accept the key exchange details. I clicked “Accept & Save”.
- I was, at that point, logged in to the ec2-user
- “sudo -i” got me to the root account
PuTTY instructions : (version 0.6.1)
There are other ways to do this (for example, using Pageant), but this is just to get the connection. Presumably, if you can get this working, you can get the other methods as well…
- Run the “puttygen” key generation program
- Conversions menu -> Import key
- Browse to the saved PEM file
- You should see all the key details on the screen, including fingerprint, comment, type of key and number of bits
- Click on “Save private key”
- Save the file with the PPK file type, I named mine TestKeyPair.ppk
- Create new session. I named it “testserver”
- Host Name (or ip IP address) : use the DNS name above, including the username : ec2-user@ec2-50-19-133-144.compute-1.amazonaws.com
- Port : 22
- Connection : Logical Name : I used the DNS name : ec2-50-19-133-144.compute-1.amazonaws.com
- : Data : Auto-login username : ec2-user
- : SSH : Auth : Private key file for authentication ->
- Browse to the file saved in Step 1 above
- Save your session
- Open the connection
- You will be prompted that the key pair is not yet saved in putty’s cache. Click “Yes” to save the key exchange and continue
- At this point, I was connected to the server, logged in as “ec2-user”
- “sudo -i” got me to root login
linux ssh instructions
Linux version (uname -a) :
Linux pebkac 2.6.29.6-smp-pebkac #1 SMP Sat Feb 27 17:55:36 MST 2010 i686 AMD Athlon(tm) 64 Processor 3800+ AuthenticAMD GNU/Linux)
OpenSSH and OpenSSL versions :
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
This is perhaps easiest. You can use the PEM file directly to connect without additional modification. I transfered the PEM file to my linux server (using SCP) and then executed instructions as you can see below:
jio::/home/jio>>> ssh -i TestKeyPair.pem ec2-user@ec2-50-19-133-144.compute-1.amazonaws.com
The authenticity of host 'ec2-50-19-133-144.compute-1.amazonaws.com (50.19.133.144)' can't be established.
RSA key fingerprint is c2:b2:5c:1e:12:4d:55:73:a2:f3:3d:c6:09:d3:9c:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-50-19-133-144.compute-1.amazonaws.com,50.19.133.144' (RSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'TestKeyPair.pem' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: TestKeyPair.pem
Permission denied (publickey).
jio::/home/jio>>> chmod 400 TestKeyPair.pem
jio::/home/jio>>> ssh -i TestKeyPair.pem ec2-user@ec2-50-19-133-144.compute-1.amazonaws.com
Last login: Tue Nov 29 04:30:03 2011 from home.trippy.org
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
See /usr/share/doc/system-release/ for latest release notes.
There are 14 security update(s) out of 18 total update(s) available
[ec2-user@ip-10-194-110-99 ~]$ sudo -i
[root@ip-10-194-110-99 ~]# ls -al
total 36
dr-xr-x--- 3 root root 4096 Nov 29 04:19 .
dr-xr-xr-x 24 root root 4096 Nov 29 04:08 ..
-rw------- 1 root root 24 Nov 29 04:31 .bash_history
-rw-r--r-- 1 root root 18 Jan 15 2011 .bash_logout
-rw-r--r-- 1 root root 176 Jan 15 2011 .bash_profile
-rw-r--r-- 1 root root 176 Jan 15 2011 .bashrc
-rw-r--r-- 1 root root 100 Jan 15 2011 .cshrc
drwx------ 2 root root 4096 Nov 29 04:08 .ssh
-rw-r--r-- 1 root root 129 Jan 15 2011 .tcshrc
[root@ip-10-194-110-99 ~]# exit
logout
[ec2-user@ip-10-194-110-99 ~]$ exit
logout
Connection to ec2-50-19-133-144.compute-1.amazonaws.com closed.
jio::/home/jio>>>
Enjoy!