- Can't SSH into AWS Instance
- It's a common issue
- Rule #1 - Always set a root password!
- Rule #2 - Setup EC2 Instance Connect to Manage SSH Keys
- Rule #3 - Setup Systems Manager
- Gaining SSH access to your AWS Instance
- Method #1 - Using the EC2 Serial Console + Password
- Method #2 - Using the EC2 Serial Console + Single User Mode
- Method #3 - Using cloudinit
- Method #4 - Donnor Instance
- Method #5 - Session Manager via AWS Systems Manager
- All in one Guide
Can't SSH into AWS Instance
It's a common issue
From time to time I'll get a request from someone who is trying to get into their AWS server via SSH but are unable to. There's a number of reason why this occurs.
- Lost Key Pair private key (SSH Private Key)
- Developer setup Key Pairs and disappeared.
- Locked out of SSH
Rule #1 - Always set a root password!
When you deploy a server, make sure to set the root password and store it somewhere securely. I suggest 1Password (Affiliate Link) for storing this password.
Having the root password will allow you to access the server using an OOB method (Out of Band) usually through the console.
Rule #2 - Setup EC2 Instance Connect to Manage SSH Keys
Amazon AWS provides a tool called EC2 Instance Connect. You install an agent on your EC2 Instance and setup the appropriate IAM permissions for the users in your organization.
You can then login to your instance using the EC2 Console (Web Based) without dealing with SSH Keys.
You can also download the aws cli to your local computer and push your SSH Key's to any instance and then login with either Putty or another SSH client.
Optionally you can use the EC2 Instance Connect CLI and run a command called
mssh which generates a one time ssh key and pushes it to the instance and removes it after 60 seconds.
Here's a link to the EC2 Instance Connect guide.
Rule #3 - Setup Systems Manager
AWS Systems Manager comes with Session Manager, which you can use to access your EC2 instances for free. Just be sure to setup Session Manager only.
Gaining SSH access to your AWS Instance
You can gain access to your AWS instance using a couple of methods.
Method #1 - Using the EC2 Serial Console + Password
Back in March of 2021 Amazon AWS released the EC2 Serial Console. This let's you access your servers console and login with any user.
You don't have to have your root login, you can use an low level system user such as ec2-user or ubuntu and run
su -.Granted this won't work if you setup SSH key authentication only, and didn't setup a password.
Here's the guide from the Amazon AWS blog.
Method #2 - Using the EC2 Serial Console + Single User Mode
If you don't have a password for the system. You can use the EC2 Serial Console and boot your instance into what's called Single User Mode
You can mount your local filesystem and then make changes. Such as resetting the root or local user password. Adding an SSH key is can be done by using the Copy and Paste function in the EC2 Serial Console.
Here's a link to the specific section of the previously mentioned article.
https://aws.amazon.com/blogs/compute/using-ec2-serial-console-to-access-the-grub-menu-and-recover-from-boot-failures/#:~:text=and emergency mode.-,Single user mode,-Single user mode
Method #3 - Using cloudinit
I didn't know about this one, but if your server has cloudinit enabled it can be configured to use a new EC2 Key Pair.
Here's the guide from the Amazon AWS knowledgebase. Look at Method #1.
Method #4 - Donnor Instance
This method is probably the last on you ever want to use. Launch a small temporary instance, stop the instance that you can't connect to via SSH, unmount the main OS storage and mount it on the small temporary instance.
You can then login to the temporary instance, mount the disk and add your SSH keys.
Here's the guide from the Amazon AWS User Guide
Method #5 - Session Manager via AWS Systems Manager
You can use Session Manager to gain acecss to your AWS EC2 instance. However you have to setup AWS Systems Manager first.
Here's the guide
All in one Guide
Pretty much each method is highlighted on the following page.