I am unable to connect to my Amazon EC2 instance through SSH, and I received the following error: Server refused our key. How can I resolve this?

You might be unable to log into an EC2 instance if:

  • You are using an SSH private key but the corresponding public key is not in the authorized_keys file.
  • You do not have permissions for your authorized_keys file.
  • You do not have permissions for the .ssh folder.
  • Your authorized_keys file or .ssh folder is not named correctly.
  • Your authorized_keys file or .ssh folder was deleted.
  • Your instance was launched without a key, or it was launched with an incorrect key.

These instructions set the appropriate ownership and file permissions for the SSH directory and files contained in it, and these instructions append the specified SSH public key to the authorized_keys file.

This applies for use on all distributions that support cloud-init directives. Cloud-init must be installed and configured for these instructions to be successful. For more information about the cloud-init SSH module, see Configure ssh and ssh keys.

Note: Make sure you stop your instance before beginning; any data on ephemeral volumes are lost.

1.    From the Amazon EC2 console, select your instance, choose Actions, select Instance State, and then choose Stop. If Stop is disabled, either the instance is already stopped or its root device is an instance store volume.
Note: If the root device is an instance store volume, you cannot change the ssh key using the method as described in this article.

2.    Choose Actions, select Instance Settings, and then choose View/Change User Data.
Note: You cannot change the user data if the instance is running; however, you can view it.

3.    Locate the public key, enter it into the ssh-rsa line, and then copy and paste into the User Data field. See the following example:

#cloud-config
ssh_deletekeys: false
ssh_authorized_keys:
  - ssh-rsa ENTER YOUR PUBLIC KEY HERE ...
cloud_final_modules:
  - [ssh, always]

4.    To find the public key, run a command similar to the following:

Linux

# ssh-keygen -y -f /path/to/keypair.pem

Windows

OpenPuTTYGen
Load your .PEM file.
The Public Key appears in the box titled "Public key for pasting into OpenSSH authorized_keys file"

5.    In the View/Change User Data dialog box, update the user data, and then choose Save.

6.    Choose Actions, select Instance State, and then choose Start.

After the instance is started, you can log in with the user name. For a list of a user names for Amazon Linux, RHEL, Ubuntu, Centos, Fedora, and SUSE, see Connecting to Your Linux Instance. If ec2-user and root don't work, check with your AMI provider.

Note: The default behavior is to execute once per instance; however, these steps add this key to every reboot or stop/start of the instance. If the user data is removed, the default functionality is restored. We recommend considering the security implications of being able to run user data beyond the first boot of an instance. Modifying the user data of an instance is done through the ModifyInstanceAttribute API method, and IAM policies can be created to restrict this method.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-06-26