What is the right file permission for a .pem file to SSH and SCP

  • I have tried to SSH into my AWS Ubuntu server and copy the directory to my local machine. Throughout the process I experience different file permission errors (noted below).

    Is there one specific file permission needed for the .pem file that allows me to SSH and SCP?
    Or do I need to change the file permission twice - once for SSH and another for SCP after I login?

    Here are the commands I'm using:

    SSH:

    ssh -i sentiment.pem [email protected]
    

    Copy from remote to local computer with:

    scp [email protected]:/home/ubuntu/sentimentfolder /Users/Toga/Desktop/sentimentlocal
    

    I'm on a Mac OS X 10.7.5.


    Trial and Error:

    1. After I initially downloaded the .pem file, its permissions were set to, I THINK: 0644

      [email protected] 1 Toga  staff  1692 Feb 18 21:27  sentiment.pem
      

      I then tried to SSH via terminal and received the following:

      WARNING: UNPROTECTED PRIVATE KEY FILE! 
      Permissions 0644 for 'sentiment.pem' are too open.
      It is recommended that your private key files are NOT accessible by others.
      This private key will be ignored.
      bad permissions: ignore key: sentiment.pem
      Permission denied (publickey).
      
    2. I updated the file permissions to:

      chmod 660 sentiment.pem
      

      After the update, the permissions were set to:

      [email protected] 1 Toga  staff  1692 Feb 18 21:27 sentiment.pem
      

      I then tried to SSH via terminal and received the following:

      WARNING: UNPROTECTED PRIVATE KEY FILE! 
      Permissions 0660 for 'sentiment.pem' are too open.
      It is recommended that your private key files are NOT accessible by others.
      This private key will be ignored.
      bad permissions: ignore key: sentiment.pem
      Permission denied (publickey).
      
    3. I updated the file permissions to:

      chmod 600 sentiment.pem
      

      After the update, the permissions were set to:

      [email protected] 1 Toga  staff 1692 Feb 18 21:27 sentiment.pem
      

      I then tried to SSH via terminal and was successful!!

    4. Now logged in, I run the a command to copy the remote directory to my local computer with:

      scp [email protected]:/home/ubuntu/sentimentfolder /Users/Toga/Desktop/sentimentlocal
      

      Which returns:

      Permission denied (publickey).
      

    SCP Commands Attempted:

    1. added the option -i and referenced the .pem file:

      scp -i sentiment.pem [email protected]:/home/ubuntu/sentimentfolder /Users/Toga/Desktop/sentimentlocal
      
    2. added the option -i, referenced the .pem file, and changed the user for AWS to ec2-user:

      scp -i sentiment.pem [email protected]:/home/ubuntu/sentimentfolder /Users/Toga/Desktop/sentimentlocal
      
    3. added the option -i, referenced the .pem file, changed the user for AWS to ec2-user, and added the complete file path for the location of the .pem file:

      scp -i /Users/Toga/Desktop/rollup/Personal/Serial_Project_Starter/sentiment/sentiment.pem [email protected]:/home/ubuntu/sentiment /Users/Toga/Desktop/sentimentlocal
      

    You have to tell scp to also use the .pem file

    thank you for calling that out @danielkullmann that makes sense. I tried a combination of commands that referenced the .pem file directly but nothing has worked yet. I have updated the question with a section titled: "SCP Commands Attempted" to catalog what I tried. If you an alternative command, please let me know. Thank you.

  • Visit here How to Connect to Amazon EC2 Remotely Using SSH or refer below.

    How to Connect to Amazon EC2 Remotely Using SSH:

    1. Download the .pem file.
    2. In Amazon Dashboard choose "Instances" from the left side bar, and then select the instance you would like to connect to.
    3. Click on "Actions", then select "Connect"
    4. Click on "Connect with a Standalone SSH Client"
    5. Open up a Terminal window
    6. Create a directory:

      # mkdir -p ~/.ssh
      
    7. Move the downloaded .pem file to the .ssh directory we just created:

      # mv ~/Downloads/ec2private.pem ~/.ssh
      
    8. Change the permissions of the .pem file so only the root user can read it:

      # chmod 400 ~/.ssh/ec2private.pem
      
    9. Create a config file:

      # vim ~/.ssh/config
      

      Enter the following text into that config file:

      Host *amazonaws.com
      IdentityFile ~/.ssh/ec2private.pem
      User ec2-user
      

      Save that file.

    10. Use the ssh command with your public DNS hostname to connect to your instance.
      e.g.:

      # ssh ec2-54-23-23-23-34.example.amazonaws.com
      

    Excellent answer. To avoid moving the pem around, you can use the ssh -i flag to specify the public key to use. eg: ssh -i path/to/ec2private.pem ec2-54-23-23-23-34.example.amazonaws.com

  • chmod 400 {keyfile}.pem is what amazon instructed and it works.

    This is the answer I was looking for, all of the instructions in the accepted answer are good practice... but irrelevant to the problem.

  • chmod 0400 pemfile.pem
    

    and

    ssh -i path_to_pem_file -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ec2-machine name
    

    Please explain your `ssh` command (and also provide a reference, if possible). BTW, the `chmod 400` was provided in an answer nine months ago.

    worked for me after ssh -i _private.pem [email protected]

  • It seems you are not supposed to use the IP address, but the full host name of the system in the SCP command. The AWS docs describe this on http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html under the section "Transferring Files to Linux/Unix Instances from Linux/Unix with SCP".

    And use -r to copy directories.

    And note that the default user name is different for different images:

    For Amazon Linux, the default user name is ec2-user. For RHEL5, the user name is often root but might be ec2-user. For Ubuntu, the user name is ubuntu. For SUSE Linux, the user name is root. Otherwise, check with your AMI provider.

    So, use this command:

    scp -r -i  /Users/Toga/Desktop/rollup/Personal/Serial_Project_Starter/sentiment/sentiment.pem [email protected]:~/sentiment /Users/Toga/Desktop/sentimentlocal
    

    A good head smack reminder for me to use the correct user name. Get the above error and I needed to remember to use the ubuntu user on ubuntu instances.

  • The "Permission denied (publickey)" is from the remote server, so you're either using the wrong key, it's not allowed to connect or there's a typo in the remote authorized_keys file.

  • I fixed it by adding "sudo" to the command

    chmod 0400 pemfile.pem
    

    Then run

    sudo ssh -i "your-file.pem" [email protected]
    

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM