It is pretty difficult to tell what is going on here, because you did not paste all that output
in a code block
From what I can see
You replaced, not added to root’s authorized keys. If there were any keys there already, you overwrote them. If not, then OK. Need to use >> to append to the file.
Doesn’t look like you enabled root login in sshd_config. Hard to tell from the mess above, but this line should be uncommented
#PermitRootLogin prohibit-password
Leaving prohibit-password should allow ssh key login. yes allows any sort of login
I’m sorry for the inconvenience. Please find the steps below. I attempted it again and I am able to log in without password for root user. Please let me know why it’s failing…
~ on ☁️ (us-east-1) ➜ cd .ssh/
~/.ssh on ☁️ (us-east-1) ➜ ssh-keygen -t rsa -f devops-key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in devops-key
Your public key has been saved in devops-key.pub
The key fingerprint is:
SHA256:8cu6Wtj1uuaJ4D7Xbe5lu4isvpp9PrU5s3+ANMssiWY root@aws-client
The key's randomart image is:
+---[RSA 3072]----+
| |
| |
| . |
| o o |
| S.o= + |
| oEooo* . |
| ooo.o+.oo. |
| ..=.+=+B+ ..|
| .**OOO*==+o |
+----[SHA256]-----+
~/.ssh on ☁️ (us-east-1) ➜ ls
agent-environment authorized_keys devops-key devops-key.pub
~/.ssh on ☁️ (us-east-1) ➜ cat devops-key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= root@aws-client
~/.ssh on ☁️ (us-east-1) ➜ ssh -i devops-key [email protected]
The authenticity of host '54.157.10.170 (54.157.10.170)' can't be established.
ECDSA key fingerprint is SHA256:MSgGN62vtsLJylHQMTWViyL43rHN5BYtXf5lfL08ldE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '54.157.10.170' (ECDSA) to the list of known hosts.
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
[ec2-user@ip-172-31-24-196 ~]$ ls -la
total 12
drwx------. 3 ec2-user ec2-user 74 Jul 11 00:36 .
drwxr-xr-x. 3 root root 22 Jul 11 00:36 ..
-rw-r--r--. 1 ec2-user ec2-user 18 Jan 28 2023 .bash_logout
-rw-r--r--. 1 ec2-user ec2-user 141 Jan 28 2023 .bash_profile
-rw-r--r--. 1 ec2-user ec2-user 492 Jan 28 2023 .bashrc
drwx------. 2 ec2-user ec2-user 29 Jul 11 00:36 .ssh
[ec2-user@ip-172-31-24-196 ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
[ec2-user@ip-172-31-24-196 ~]$ sudo su -
[root@ip-172-31-24-196 ~]# cp /home/ec2-user/.ssh/authorized_keys >> /root/.ssh/authorized_keys
cp: missing destination file operand after '/home/ec2-user/.ssh/authorized_keys'
Try 'cp --help' for more information.
[root@ip-172-31-24-196 ~]# cat /home/ec2-user/.ssh/authorized_keys >> /root/.ssh/authorized_keys
[root@ip-172-31-24-196 ~]# cat /root/.ssh/authorized_keys
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10;exit 142" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
[root@ip-172-31-24-196 ~]# vi /root/.ssh/authorized_keys
[root@ip-172-31-24-196 ~]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
[root@ip-172-31-24-196 ~]# ls -la
total 24
dr-xr-x---. 3 root root 119 Jul 11 00:40 .
dr-xr-xr-x. 18 root root 237 Jul 5 19:25 ..
-rw-r--r--. 1 root root 18 Feb 2 2023 .bash_logout
-rw-r--r--. 1 root root 141 Feb 2 2023 .bash_profile
-rw-r--r--. 1 root root 429 Feb 2 2023 .bashrc
-rw-r--r--. 1 root root 100 Feb 2 2023 .cshrc
drwx------. 2 root root 29 Jul 11 00:40 .ssh
-rw-r--r--. 1 root root 129 Feb 2 2023 .tcshrc
-rw-------. 1 root root 2305 Jul 11 00:40 .viminfo
[root@ip-172-31-24-196 ~]# cd .ssh/
[root@ip-172-31-24-196 .ssh]# ls -la
total 4
drwx------. 2 root root 29 Jul 11 00:40 .
dr-xr-x---. 3 root root 119 Jul 11 00:40 ..
-rw-------. 1 root root 564 Jul 11 00:40 authorized_keys
[root@ip-172-31-24-196 .ssh]# vi /etc/ssh/sshd_config
[root@ip-172-31-24-196 .ssh]# cat /etc/ssh/sshd_config | grep -i "password-prohibit"
[root@ip-172-31-24-196 .ssh]# cat /etc/ssh/sshd_config | grep -i "password"
PermitRootLogin prohibit-password
# Explicitly disable PasswordAuthentication. By presetting it, we
# avoid the cloud-init set_passwords module modifying sshd_config and
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable s/key passwords
# PasswordAuthentication. Depending on your PAM configuration,
# the setting of "PermitRootLogin without-password".
# PAM authentication, then enable this but set PasswordAuthentication
[root@ip-172-31-24-196 .ssh]# exit
logout
[ec2-user@ip-172-31-24-196 ~]$ exit
logout
Connection to 54.157.10.170 closed.
~/.ssh on ☁️ (us-east-1) ➜ cd ~
~ on ☁️ (us-east-1) ➜ ssh -i ~/.ssh/devops-key [email protected]
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Thu Jul 11 00:38:10 2024
[root@ip-172-31-24-196 ~]#
So where exactly does it fail and what does it say when it tells you it is failed? I just did that lab and it is able to pass without having to edit sshd_config
As long as you have the following working before you end the lab (IP address of EC2 instance is different every time)
~ on ☁️ (us-east-1) ➜ ssh 52.91.52.216
and it logs directly in as root, then it should pass the question.
you launch instance with devops-key and then you connect with publicip i am not able to launch instance devops-key is there anything i am missing can you explain thanks
@Srikanth_Reddy i am still not getting the final result i have run these commands
ssh-keygen -t rsa -f devops-key
launch ec2 instance
copy devops-key.pub
paste into /root/.ssh/autherised_keys but iam not able to log in [email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
@Alistair_KodeKloud
I remember doing this task recently and I didn’t have to change the sshd_config.
@Nagireddy
did you try to login as root instead of ec2-user and specify your private key path as you aren’t using default name while generating? Also I think it is just a typo in the authorized_keys file name. ssh -i <private_key_path> root@<ip_address>
If it didn’t work edit the sshd_config file as suggested by @Alistair_KodeKloud.
Unusual. It’s generally an accepted baseline security consideration to disable remote root logins by default, and is usually how a default installation of sshd is configured.
i have successfully completed this task but i have added the devops.pub key in authorized keys in ec2 instance and same copied into autherised keys then working fine thanks for your assistance @Alistair_KodeKloud@Srikanth_Reddy Nagireddy
@Alistair_KodeKloud
How to accessible ec2 instance from aws-client without .pem key ?
I am trying to connect ec2 instance through generate pub key but cant accessible.
~/.ssh on (us-east-1) ➜ ls -la
total 32
drwx------ 1 root root 4096 Jan 11 19:18 .
drwx------ 1 root root 4096 Jan 11 19:02 …
-rw------- 1 root root 134 Jan 11 19:02 agent-environment
-r-------- 1 root root 1138 Jan 11 19:02 authorized_keys
-rw------- 1 root root 2602 Jan 11 19:18 nautituls
-rw-r–r-- 1 root root 569 Jan 11 19:18 nautituls.pub
~/.ssh on (us-east-1) ➜ ssh -i nautituls [email protected]
The authenticity of host ‘44.213.88.15 (44.213.88.15)’ can’t be established.
ECDSA key fingerprint is SHA256:8D5U+CnFaRfu3fU96ZUaAoAM0JE/uEj6YqsqPEjja8c.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘44.213.88.15’ (ECDSA) to the list of known hosts. [email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
You created this with ssh-keygen right? And the task is the task as described further up this thread?
Now you need to get the content of this file into the authorized_keys file for root on the ec2 instance. You can login to the EC2 instance from the AWS console, edit the required file, then you should be able to do
Since this lab seems to be causing so much confusion, let’s walk through it.
You need to do the following steps
Deploy an EC2 instance using the AWS console. Choose Amazon Linux as the type. In the settings page, ensure it is using GP2 disk type. It does not require a key pair. We are going to create that later. Launch the instance, and then edit its name to the name stated in the question (e.g. datacenter-ec2 or whatever it asks). Note that if you forget to set the name or set it incorrectly, the task will fail as the grader will not be able to locate the EC2 instance.
When the instance has finished launching, connect to it. Right click instance, select Connect, then select EC2 Instance Connect. You should get a terminal on the instance logged in as ec2-user. Now do sudo -i to become root.
Back at the lab terminal, create a key pair
ssh-keygen
Accept the defaults.
Run the following
cat .ssh/id_rsa.pub
Copy the key output
Back at the EC2 instance in the console
vi .ssh/authorized_keys
Paste the key you copied to the end of this file. Save and exit vi.
Note the public IP address of the EC2 instance, you will need it in the next step.
Back at the lab terminal, test the connection. The IP address will be different for you.
~ on ☁️ (us-east-1) ➜ ssh [email protected]
The authenticity of host '54.161.54.252 (54.161.54.252)' can't be established.
ECDSA key fingerprint is SHA256:WL/GGUvz1UrPoMWJgP8ECq4z7rMUkkCVoM8uRj1jPGM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '54.161.54.252' (ECDSA) to the list of known hosts.
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
[root@ip-172-31-43-159 ~]#
The reason it failed on your first attempt after my solution is that you did not accept the defaults for the keypair. Since the question did not state that you should name the keypair, the grader is not execting to do ssh -i
(us-east-1) 
ssh-add ~/.ssh/dev-key
