"UNPROTECTED PRIVATE KEY FILE!" Error using SSH into Amazon EC2 Instance (AWS)

Question

I've created a new linux instance on Amazon EC2, and as part of that downloaded the .pem file to allow me to SSH in.

When I tried to ssh with:

ssh -i myfile.pem <public dns>

I got:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'amazonec2.pem' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: amazonec2.pem
Permission denied (publickey).

Following this post I tried to chmod +600 the .pem file, but now when I ssh I just get

Permission denied (publickey).

What school-boy error am I making here? The .pem file is in my home folder (in macOS). Its permissions look like this:

-rw-------@   1 mattroberts  staff    1696 19 Nov 11:20 amazonec2.pem

Answer 1

The problem is wrong set of permissions on the file.

Easily solved by executing -

chmod 400 mykey.pem

Taken from AWS instructions -

Your key file must not be publicly viewable for SSH to work. Use this command if needed: chmod 400 mykey.pem

400 protects it by making it read only and only for the owner.

Answer 2

Feb, 2022 Update:

See the description to ssh to EC2 instance on AWS:

Then, you can find "No.3" saying this below:

So, run the command below as "No.3" says above:

chmod 400 myKey.pem

Answer 3

One thing I like doing in this matter, is to use an alias and add it to the .bashrc file so that I don't have to write connect commands or get back to the key each time I need to SSh the EC2 instance.

Here is how I do it:

vim .bashrc

Add the following content to the end of the file

# Custom fields

###[ MY APP 1 NAME ]###

# APP 1 Dev env EKS cluster bastion host
alias app1_dev="ssh -i ~/.ssh/app1-dev-bastion.pem USER@IPv4_ADDRESS"

###[ MY APP 2 NAME ]###
# APP 2 Stg env CodeDeploy instance
alias app_stg_cd="ssh -i ~/.ssh/app2-stg-cd.pem USER@IPv4_ADDRESS"

And then apply changes:

source .bashrc

Sorry if anyone answered this before and I didn't notice, and just wanted to share my own work taste, not like the other fellows didn't answer very well.

Answer 4

Change permission for the key file with :

chmod 400 key-file-name.pem

See AWS documentation for connecting to the instance: Tutorial: Get started with Amazon EC2 Linux instances

Answer 5

I know this is very late to the game ... but this always works for me:

##step 1

ssh-add ~/.ssh/KEY_PAIR_NAME.pem

##step 2, simply ssh in :)

ssh user_name@<instance public dns/ip>

e.g.

ssh ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com

Answer 6

if don't have permissions don't forget sudo it. sudo ssh -i myfile.pem <<ssh_user>>@<>

Answer 7

Windows 10 - PowerShell

icacls.exe .\Desktop\xxxx.pem /reset
icacls.exe .\Desktop\xxxx.pem /grant:r "$($env:USERNAME):(r)"
icacls.exe .\Desktop\xxxx.pem /inheritance:r

ssh -i .\Desktop\xxxx.pem ec2-user@54.2xx.xxx.x

macos & linux

chmod 400 ~/Desktop/xxxx.pem

ssh -i ~/Desktop/xxxx.pem ec2-user@54.2xx.xxx.x

Answer 8

there's notes when you creating new EC2 instance that pormote you to change the file permtion

Easily solved by executing -

chmod 400 mykey.pem

Answer 9

In windows,

• Right click on the pem file. Then select properties.
• Select security tab --> Click on the Advanced button --> Disable inheritance --> Remove all inherited permissions from this object
• Click on the Add button --> Select a principal --> Enter your username on the inputbox --> Click on the Check Names button --> Click on Ok --> Click on Ok --> Click on Ok --> Click on Ok

Answer 10

It is just a permission issue with your aws pem key.

Just change the permission of pem key to 400 using below command.

chmod 400 pemkeyname.pem

If you don't have permission to change the permission of a file you can use sudo like below command.

sudo chmod 400 pemkeyname.pem

Else if nothing works for you just follow this video to change the keys on your EC2 instance. You can install now public / private key pair on your instance.

https://youtu.be/LvLlRCrS8B4

Answer 11

If you are connecting from Windows, perform the following steps on your local computer.

1. Navigate to your .pem file.

2. Right-click on the .pem file and select Properties.

3. Choose the Security tab.

4. Select Advanced.

5. Verify that you are the owner of the file. If not, change the owner to your username.

6. Select Disable inheritance and Remove all inherited permissions from this object.

7. Select Add, Select a principal, enter your username, and select OK.

8. From the Permission Entry window, grant Read permissions and select OK.

9. Click Apply to ensure all settings are saved.

10. Select OK to close the Advanced Security Settings window.

11. Select OK to close the Properties window.

12. You should be able to connect to your Linux instance from Windows via SSH.

From a Windows command prompt, run the following commands.

1. Run the following command to reset and remove explicit permissions: icacls.exe $path /reset
2. Run the following command to grant Read permissions to the current user: icacls.exe $path /GRANT:R "$($env:USERNAME):(R)"
3. Run the following command to disable inheritance and remove inherited permissions : icacls.exe $path /inheritance:r

You should be able to connect to your Linux instance from Windows via SSH.

Answer 12

for windows 10.

. Right click file . properties->security-> disable inheritance .now add -> your user(window) with only "read" . Click ok

now its working for me

Answer 13

If you are on windows 10 using the ubuntu subsystem, and if you sudo chmod to change the key to 400, then it may still error with "Load key pem: Permission denied"

ls -al and you will see root now owns the file! chown it to your logged in user and then it will work.

Answer 14

You're not in root then run this command

sudo chmod 400 -R myfile.pem

Not is root then run this command

chmod 400 -R myfile.pem

Answer 15

You are likely using the wrong username to login, because—

• Most Ubuntu images have a user ubuntu
• Amazon's AMI is ec2-user
• Most Debian images have either root or admin

To login, you need to adjust your ssh command:

ssh -l USERNAME_HERE -i .ssh/yourkey.pem public-ec2-host

Answer 16

You would need to put some conservative permissions on the key file (myfile.pem). Try changing it to r-------- OR 400

Answer 17

In Windows go to the .pem file, right click and select Properties.

• Go to Advanced in Security tab

• Disable and remove inheritance.

• Then press Add and select a principal.

• Add account username as object name and press ok.

• Give all permission.

• Apply and save changes.

Now check the above command

Answer 18

By default whenever you download the keyfile it come with 644 permissions.

So you need to change the permission each time you download new keys.

 chmod 400 my_file.pem

Answer 19

You should also check if your .pem file is not corrupted. I spent about an hour scratching my head and decided to check using this line

openssl rsa -check -in test.pem -noout

If it returns "RSA key ok" then you are good. If not, make sure you have the right file and or copied it correctly for whatever reason.

Answer 20

In windows you can go to the properties of the pem file, and go to the security tab, then to advance button.

remove inheritance and all the permissions. then grant yourself the full control. after all SSL will not give you the same error again.

Answer 21

You can find the answer from the ASW guide. 400 protects it by making it read only and only for the owner.

chmod 400 mykey.pem

Answer 22

What did it for me is editing the default security group to allow for inbound TCP traffic at port 22:

Answer 23

.400 protects it by making it read only and only for the owner.
You can find the answer from the ASW guide.

chmod 400 yourPrivateKey.pem

Answer 24

Key file should not be publicly viewable so use permission 400

chmod 400 keyfile.pem

If above command shows permission error use

sudo chmod 400 keyfile.pem

Now ssh into the ec2 machine, if you still face the issue, use ec2-user

ssh -i keyfile.pem ec2-user@ec2-12-34-56-78.compute-1.amazonaws.com

Answer 25

Well, looking at your post description I feel there were 2 mistakes done by you:-

1. Set correct permissions for the private key. Below command should help you to set correct file permision.

   chmod 0600 mykey.pem

2. Wrong ec2 user you are trying to login.

   Looking at your debug log I think you have spawned an Amazon linux instance. The default user for that instance type is ec2-user . If the instance would have been ubuntu then your default user would have been ubuntu .

   ssh -i privatekey.pem default_ssh_user@server_ip

Note:
   For an Amazon Linux AMI, the default user name is ec2-user.

   For a Centos AMI, the default user name is centos.

   For a Debian AMI, the default user name is admin or root.

   For a Fedora AMI, the default user name is ec2-user or fedora.

   For a RHEL AMI, the default user name is ec2-user or root.

   For a SUSE AMI, the default user name is ec2-user or root.

   For an Ubuntu AMI, the default user name is ubuntu.

   Otherwise, if ec2-user and root don't work, check with the AMI provider.

source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

Answer 26

I have seen two reasons behind this issue

1) access key does not have the right permission. pem keys with default permission are not allowed to make a secure connection. You just have to change the permission:

chmod 400 xyz.pem

2) Also check whether you have logged-in with proper user credentials. Otherwise, use sudo while connecting

sudo ssh -i {keyfile} ec2-user@{ip address of remote host}

Answer 27

It is just a permission issue with your aws pem key.

Just change the permission of pem key to 400 using below command.

chmod 400 pemkeyname.pem

If you don't have permission to change the permission of a file you can use sudo like below command.

sudo chmod 400 pemkeyname.pem

I hope this should work fine.

Answer 28

The issue for me was that my .pem file was in one of my NTFS partitions. I moved it to my linux partition (ext4).

Gave required permissions by running:

chmod 400 my_file.pem

And it worked.

Answer 29

In addition to the other answers, here is what I did in order for this to work:

• Copy the key to .ssh folder if you still hadn't:

cp key.pem ~/.ssh/key.pem

• Give the proper permissions to the key

chmod 400 ~/.ssh/key.pem

• Start ssh-agent (Thanks to https://stackoverflow.com/a/17848593 )

eval `ssh-agent -s` ssh-add

• Then, add the key

ssh-add ~/.ssh/key.pem

Now you should be able to ssh EC2 (:

Answer 30

BY default permission are not allowing the pem key. You just have to change the permission:

chmod 400 xyz.pem

and if ubuntu instance then connect using:

ssh -i xyz.pem ubuntu@ec2-youraws.amazonaws.com