Louisa helps you troubleshoot
"server refused our key" errors
when using Amazon EC2

Loiusa_ec2-server-refused-our-key-1

I can't connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance using SSH, and I received the following error: "Server refused our key." How can I resolve this?

You might be unable to log in to an EC2 instance if:

  • You're using an SSH private key but the corresponding public key is not in the authorized_keys file.
  • You don't have permissions for your authorized_keys file.
  • You don't have permissions for the .ssh folder.
  • Your authorized_keys file or .ssh folder isn't named correctly.
  • Your authorized_keys file or .ssh folder was deleted.
  • Your instance was launched without a key, or it was launched with an incorrect key.

To connect to your EC2 instance after receiving the error "Server refused our key," you can update the instance's user data to append the specified SSH public key to the authorized_keys file, which sets the appropriate ownership and file permissions for the SSH directory and files contained in it.

Before you begin the procedure to update your instance's user data, note the following:

  • The procedure doesn't correct the issue if permissions to the home directory are broken. You must manually correct the home directory permissions.
  • The procedure applies to all distributions that support cloud-init directives. Cloud-init must be installed and configured for these instructions to be successful. For more information about the cloud-init SSH module, see Configure ssh and ssh keys.
  • You must stop your instance at the beginning of this procedure. Any data on ephemeral volumes is lost.
  • You can't change the SSH key using this procedure if your instance's root device is an instance store volume.

Follow these steps to update your instance's user data to append the specified SSH public key to the authorized_keys file:

1.    From the Amazon EC2 console, choose your instance.

2.    Choose Actions, choose Instance State, and then choose Stop. Note: If Stop is disabled, either the instance is already stopped or its root device is an instance store volume. You can't change the SSH key using this procedure if your instance's root device is an instance store volume.

3.    Find the SSH public key in one of the following ways, based on the operating system that you're connecting from:

Linux Run a command similar to the following:

# ssh-keygen -y -f /path/to/keypair.pem

Windows Open PuTTYGen. Then, load your .PEM file. The public key appears in the box titled "Public key for pasting into OpenSSH authorized_keys file."

4.    Note the SSH public key. You'll need the public key in a later step.

5.    Return to the Amazon EC2 console and choose your instance.

6.    Choose Actions, choose Instance Settings, and then choose View/Change User Data.

7.    In the View/Change User Data dialog box, for User Data, type the following snippet. Note: Enter the SSH public key as the value for ssh-rsa. The value must match the public key exactly, without additional spaces or characters.  

#cloud-config
ssh_deletekeys: false
ssh_authorized_keys:
  - ssh-rsa ENTER YOUR PUBLIC KEY HERE ...
cloud_final_modules:
  - [ssh, always]

8.    Choose Save.

9.    Choose Actions, choose Instance State, and then choose Start.

After the instance starts, you can log in with the user name. For the list of user names for Amazon Linux, RHEL, Ubuntu, CentOS, Fedora, and SUSE Amazon Machine Images (AMIs), see Connecting to Your Linux Instance. If ec2-user and root don't work, check with your AMI provider.

Note: By default, the user data script runs once per instance. This procedure changes the default behavior to add the public key to every reboot, stop, or start of the instance. To restore the default behavior, remove the custom user data. As a best practice, consider the security implications of allowing user data to run after the first boot of an instance. You can modify the user data of an instance with the ModifyInstanceAttribute API method. To restrict access to this method, use AWS Identity and Access Management (IAM) policies.  


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-06-26

Updated: 2018-05-21