Knife EC2 Server Create Error: Authentication failed

Sometimes with all of the rush and trying to keep track of a 1000 moving parts you might get stumped by a fairly simple issue. Here are a few things to check if you get hung up with an “Authentication failed for user” error when running a “Knife ec2 server create” command.

Waiting for sshd access to become availabledone
Connecting to
Failed to authenticate ec2-user - trying password auth
Enter your password:
ERROR: Net::SSH::AuthenticationFailed: Authentication failed for user ec2-user@

Do you have your .pem file downloaded and installed with the correct permissions on your workstation you are running the command from?

It should be in the EC2-USER’s .ssh dir -> /home/ec2-user/.ssh

Make sure its chmodded 400

Make sure you have the knife.rb file set correctly to reference the .pem file for you…otherwise you will have a lot of typing for your command.

knife[:identity_file] = "/home/ec2-user/.ssh/aws-seth.pem"

Make sure you are using the correct user. Unless you have specifically changed something in your configurations by default you will be connecting as the “ec2-user”. So make sure thats what is trying to connect in your error output.

Hopefully these tips will help you narrow down the issue. You have to think about whats really happening and from where with Chef some sometimes these simple issues can really drive you nuts.

Log into your AWS EC2 instance as your own user

Once you have created and stood up your EC2 instance on AWS you will want to create your own user. By default you have to use the “ec2-user” user and you are not allowed to log in as root*. So you create your own…

sudo useradd -m -G wheel seth
passwd seth

Once you have done this and you have setup your keys correctly (Separate post) you will want to log in as your new user you created…but you cant. Until you do this…

cp -r /root/.ssh /home/user
chown -R user /home/user/.ssh

This allowed me to use the keypair.pem file to log in.

Now what you must do is turn on the ability to SSH in with a password. This option is turned off by default in all Linux AMIs.

vi, nano, pico, etc. into the following file with root privileges:

sudo vi /etc/ssh/sshd_config

Set the following to YES

PasswordAuthentication = yes

Finally you must restart SSH

sudo service sshd restart

That’s it. You must still add users with the adduser command and give them passwords with the passwd command for them to be able to login to your AMI.

* – In case you need to login as root you can do it with this… sudo su -

SSH and GitHub

When you create an account on you might not realize that you need to setup your SSH keys. Here is what I did to make that happen…

On my box I did ssh-keygen -t rsa  I answered with the default yes’…although not as secure, since this is just for practice Im not worried a ton about that aspect right now.

I then logged onto my github account and added my SSH key by going to account settings and then the SSH Key section. I copied my PUBLIC key content from my key located at ~/.ssh/ and pasted it in the window forthe key content.

Once this was complete I ran ssh -vT to make sure I could connect ok…

If successful you should see something like this…


[seth@lab001 DevOpsHomeLab]$ ssh -vT
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [] port 22.
debug1: Connection established.
debug1: identity file /home/seth/.ssh/identity type -1
debug1: identity file /home/seth/.ssh/id_rsa type 1
debug1: identity file /home/seth/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1+github5
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1+github5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host ‘’ is known and matches the RSA host key.
debug1: Found key in /home/seth/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/seth/.ssh/identity
debug1: Offering public key: /home/seth/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting
debug1: Entering interactive session.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Hi sethfloydjr! You’ve successfully authenticated, but GitHub does not provide shell access.
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2272, received 3032 bytes, in 0.1 seconds
Bytes per second: sent 25456.3, received 33971.6
debug1: Exit status 1