Can't ssh into ec2 box (permission denied) - ECDSA issue

2

1

I launched a AWS community Ubuntu 12.04 desktop ec2. I added the host to my ssh config with the identity pem key file to ssh into my ec2.

I got the authorized keys public key file from my ec2 and made a local ~/.ssh/myserver.pub with the public key. I was able to ssh to the box and change its ssh port to a new number. I restarted the ssh service, and was able to ssh again with no issues.

After doing an apt-get update and installing some software, I needed to scp a file to the ec2. SCP kept failing with 'Permission denied (public key).' I tried copying to the remote hosts ubuntu home directory many timesm, but nothing worked.

I exited my ssh session. I tried ssh'ing again, but got the 'Permission denied (public key). I removed my ec2's host entry from my known_hosts file.

Instead of RSA authentication, somehow I'm now getting prompted to authenticate with ECDSA host key. 

ECDSA key fingerprint is SHA256 xxxxxx

Are you sure you want to continue connecting (yes/no)?

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey

debug1: Next authentication method: publickey

debug1: Trying private key: x.pem

debug1: Authentications that can continue: publickey

debug1: No more authentication methods to try.

Permission denied (publickey).

I tried #ssh-keygen -R <my ec2's ip>:

Host x.x.x.x not found in /Users/username/.ssh/known_hosts

I tried removing my ec2's ECDSA host entry and manually adding the RSA host public key, and sshing in again. 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that a host key has just been changed.

The fingerprint for the RSA key sent by the remote host is
SHA256:xxxxx

Add correct host key in /Users/user/.ssh/known_hosts to get rid of this message.

RSA host key for [myserver.mydomain.com]:xxxx has changed and you have requested strict checking.

The security group for this ec2 was not changed, so this shouldn't be the issue.

How can I get rid of the ECDSA authentication, and go back to the original RSA authentication for SSH that I started off with?

ficestat

Posted 2015-10-08T21:11:19.277

Reputation: 21

This has nothing to do with security group. Did you apply any openssh updates lately? – Thomas Ward – 2015-10-10T00:33:02.643

I did an apt-get update only no apt-get upgrade – ficestat – 2015-10-12T13:50:09.497

Answers

0

I would be a lot more careful with this.

SSH servers generate keys for both the security part but also so you know if a connection may be not to a known server.

Your server previously had an RSA fingerprint, I gather. That was created by OpenSSH server at install/generation time. Now you say that the warning indicates a ECDSA key fingerprint for the same box.

BE VERY CAREFUL. Amazon EC2 boxes, unless you assign a static elastic ip to it, do change IP address. Verify from the EC2 panel that the IP/address you are connecting to IS the box you think you are reaching. If it is not, then the warnings have done their job. If it is, review your updates history on the box and ID if openssh-server had been updated recently. If it had been, then likely it uses ECDSA instead of RSA and therefore reverting is less important (just remove the known fingerprint from your own machine's ~/.ssh/known_servers (path to be verified shortly) and then reconnect to the server.)

Thomas Ward

Posted 2015-10-08T21:11:19.277

Reputation: 1 020

The box is tied down to my IP and the default ssh port was changed from 22. Yes, it had an RSA fingerprint. I used an EIP and did not remove it. I'm connecting to the correct box, but unable to authenticate, and cannot check the updates history. I've already tried removing the ~/.ssh/known_hosts entries for this box multiple times. I've time-boxed myself out of troubleshooting this for this prod box. I'll attempt to replicate the issue in Vagrant and post back. – ficestat – 2015-10-12T13:57:00.350

Asked: 2015-10-08T21:11:19.277

Viewed: 712 times

Active: 2015-10-10T12:13:03.823