What is the right file permission for a .pem file to SSH and SCP

Question

I have tried to SSH into my AWS Ubuntu server and copy the directory to my local machine. Throughout the process I experience different file permission errors (noted below).

Is there one specific file permission needed for the .pem file that allows me to SSH and SCP?
Or do I need to change the file permission twice - once for SSH and another for SCP after I login?

Here are the commands I'm using:

SSH:

ssh -i sentiment.pem Todo@54.555.555.555

Copy from remote to local computer with:

scp Todo@54.555.555.555:/home/ubuntu/sentimentfolder /Users/Toga/Desktop/sentimentlocal

I'm on a Mac OS X 10.7.5.

---

Trial and Error:

1. After I initially downloaded the .pem file, its permissions were set to, I THINK: 0644

   -rw-r--r--@ 1 Toga  staff  1692 Feb 18 21:27  sentiment.pem
   

   I then tried to SSH via terminal and received the following:

   WARNING: UNPROTECTED PRIVATE KEY FILE! 
   Permissions 0644 for 'sentiment.pem' are too open.
   It is recommended that your private key files are NOT accessible by others.
   This private key will be ignored.
   bad permissions: ignore key: sentiment.pem
   Permission denied (publickey).
   

2. I updated the file permissions to:

   chmod 660 sentiment.pem
   

   After the update, the permissions were set to:

   -rw-rw----@ 1 Toga  staff  1692 Feb 18 21:27 sentiment.pem
   

   I then tried to SSH via terminal and received the following:

   WARNING: UNPROTECTED PRIVATE KEY FILE! 
   Permissions 0660 for 'sentiment.pem' are too open.
   It is recommended that your private key files are NOT accessible by others.
   This private key will be ignored.
   bad permissions: ignore key: sentiment.pem
   Permission denied (publickey).
   

3. I updated the file permissions to:

   chmod 600 sentiment.pem
   

   After the update, the permissions were set to:

   -rw-------@ 1 Toga  staff 1692 Feb 18 21:27 sentiment.pem
   

   I then tried to SSH via terminal and was successful!!

4. Now logged in, I run the a command to copy the remote directory to my local computer with:

   scp Todo@54.555.555.555:/home/ubuntu/sentimentfolder /Users/Toga/Desktop/sentimentlocal
   

   Which returns:

   Permission denied (publickey).
   

---

SCP Commands Attempted:

1. added the option -i and referenced the .pem file:

   scp -i sentiment.pem Todo@54.555.555.555:/home/ubuntu/sentimentfolder /Users/Toga/Desktop/sentimentlocal
   

2. added the option -i, referenced the .pem file, and changed the user for AWS to ec2-user:

   scp -i sentiment.pem ec2-user@54.555.555.555:/home/ubuntu/sentimentfolder /Users/Toga/Desktop/sentimentlocal
   

3. added the option -i, referenced the .pem file, changed the user for AWS to ec2-user, and added the complete file path for the location of the .pem file:

   scp -i /Users/Toga/Desktop/rollup/Personal/Serial_Project_Starter/sentiment/sentiment.pem ec2-user@54.555.555.555:/home/ubuntu/sentiment /Users/Toga/Desktop/sentimentlocal
   

Answer 1

TL;DR:

chmod 400 ~/.ssh/ec2private.pem

---

Visit here How to Connect to Amazon EC2 Remotely Using SSH or refer below.

How to Connect to Amazon EC2 Remotely Using SSH:

1. Download the .pem file.

2. In Amazon Dashboard choose "Instances" from the left side bar, and then select the instance you would like to connect to.

3. Click on "Actions", then select "Connect"

4. Click on "Connect with a Standalone SSH Client"

5. Open up a Terminal window

6. Create a directory:

    # mkdir -p ~/.ssh
   

7. Move the downloaded .pem file to the .ssh directory we just created:

    # mv ~/Downloads/ec2private.pem ~/.ssh
   

8. Change the permissions of the .pem file so only the root user can read it:

    # chmod 400 ~/.ssh/ec2private.pem
   

9. Create a config file:

    # vim ~/.ssh/config
   

   Enter the following text into that config file:

    Host *amazonaws.com
    IdentityFile ~/.ssh/ec2private.pem
    User ec2-user
   

   Save that file.

10. Use the ssh command with your public DNS hostname to connect to your instance.
    e.g.:

    # ssh ec2-54-23-23-23-34.example.amazonaws.com
    

Answer 2

chmod 400 {keyfile}.pem is what amazon instructed and it works.

Answer 3

chmod 0400 pemfile.pem

and

ssh -i path_to_pem_file -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ec2-machine name

Answer 4

It seems you are not supposed to use the IP address, but the full host name of the system in the SCP command. The AWS docs describe this on http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html under the section "Transferring Files to Linux/Unix Instances from Linux/Unix with SCP".

And use -r to copy directories.

And note that the default user name is different for different images:

For Amazon Linux, the default user name is ec2-user. For RHEL5, the user name is often root but might be ec2-user. For Ubuntu, the user name is ubuntu. For SUSE Linux, the user name is root. Otherwise, check with your AMI provider.

So, use this command:

scp -r -i  /Users/Toga/Desktop/rollup/Personal/Serial_Project_Starter/sentiment/sentiment.pem ubuntu@ec2-xx-xx-xx-xx.compute-x.amazonaws.com:~/sentiment /Users/Toga/Desktop/sentimentlocal

Answer 5

The "Permission denied (publickey)" is from the remote server, so you're either using the wrong key, it's not allowed to connect or there's a typo in the remote authorized_keys file.

Answer 6

I fixed it by adding "sudo" to the command

chmod 0400 pemfile.pem

Then run

sudo ssh -i "your-file.pem" ubuntu@your-dns.compute.amazonaws.com