Common SSH Troubleshooting Issues for SysOps Administrators

Permissions on PEM File

• Unprotected Private Key File Error: Occurs if the PEM file does not have the correct permissions.
  • Solution: Set the permissions to 400 for the PEM file to fix the error.

Incorrect Username

• Host Key Not Found / Permission Denied / Connection Closed Error: If the wrong username is provided for the OS you're connecting to, you'll encounter these errors.
  • Solution: Ensure the username matches the OS of the instance (e.g., ec2-user for Amazon Linux, ubuntu for Ubuntu).

Network-Related Issues

• Connection Timeout Error: Indicates a network-related problem, such as:
  • Incorrectly configured security group.
  • Misconfigured route table for the subnets.
  • Network ACL (NACL) not set up properly.
  • Instance lacking a public IPv4 address.
  • High CPU usage causing the instance to be unresponsive.

SSH vs. EC2 Instance Connect

• SSH: Requires an inbound rule allowing the user's IP to connect.
• EC2 Instance Connect: Uses a range of IPs from AWS for connection.
  • It pushes a one-time SSH public key valid for 60 seconds.
  • Users interact with the EC2 Instance Connect service rather than providing their own SSH key.

Configuring EC2 Instance Connect

• Inbound Rule: Must allow the specific IP range for EC2 Instance Connect.
• IP Range Retrieval: An online JSON file provides the IP prefixes for EC2 Instance Connect per region.
• Security Group Configuration: The security group must be edited to include the EC2 Instance Connect IP range for the region.

Hands-On Example

1. SSH with Correct Permissions:
   • Successful login when correct key pair and permissions are used.
2. SSH with Incorrect Permissions:
   • Error: "Unprotected private key file."
   • Fix by reverting permissions to 400.
3. SSH with Wrong Username:
   • Error: "Too many authentication failures."
   • Correct username must match the AMI's OS.
4. Security Group and Timeout:
   • Removing port 22 from the security group results in a timeout.
   • Adding a rule for SSH from a specific IP allows connection.
5. EC2 Instance Connect Configuration:
   • Inbound rule must include the EC2 Instance Connect IP range.
   • Download and filter the IP range JSON file for the specific region.
   • Edit the security group to add the EC2 Instance Connect CIDR block.
   • Connect using EC2 Instance Connect successfully.