When trying to log in to Amazon Lightsail instance, I got the error
Log in failed. If this instance has just started up, try again in a minute or two.
CLIENT_UNAUTHORIZED [769]
This lightsail refused to connect error happens because when you update the system, you replaced the default /etc/ssh/sshd_config file provided by Amazon AWS.
To fix the error, connect to the Lightsail server using SSH (terminal on Linux/Mac, putty on windows), edit the file
vi /etc/ssh/sshd_config
At the end of the file, add the following 2 lines
TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub
CASignatureAlgorithms +ssh-rsa
Restart ssh service
systemctl restart ssh
Now you should be able to login to Amazon Lightsail using AWS Console.
If your lightsail_instance_ca.pub file is corrupted, you can recreate it with the command
cat /var/lib/cloud/instance/user-data.txt | grep ^ssh-rsa > /etc/ssh/lightsail_instance_ca.pub
Method 2: Reover with shapshot
If you can’t SSH into the server using putty or a terminal, you need to take a snapshot of the server. Create a new lightsail server based on the snapshot. During the new server creation, you have the option to reset the PEM file. You can also enter a startup script, that gets executed when the server is started the first time.
Use the following startup script
sudo sh -c "cat /var/lib/cloud/instance/user-data.txt | grep ^ssh-rsa > /etc/ssh/lightsail_instance_ca.pub"
sudo sh -c "echo >> /etc/ssh/sshd_config"
sudo sh -c "echo 'TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub' >> /etc/ssh/sshd_config"
sudo sh -c "echo 'CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa' >> /etc/ssh/sshd_config"
sudo systemctl restart sshd
Leave a Reply