Amazon Lightsail Log in failed – CLIENT_UNAUTHORIZED

When trying to log in to Amazon Lightsail instance, I got the error

Log in failed. If this instance has just started up, try again in a minute or two.
CLIENT_UNAUTHORIZED [769]
Amazon Lightsail connect failed

This lightsail refused to connect error happens because when you update the system, you replaced the default /etc/ssh/sshd_config file provided by Amazon AWS.

To fix the error, connect to the Lightsail server using SSH (terminal on Linux/Mac, putty on windows), edit the file

vi /etc/ssh/sshd_config

At the end of the file, add the following 2 lines

TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub
CASignatureAlgorithms +ssh-rsa

Restart ssh service

systemctl restart ssh

Now you should be able to login to Amazon Lightsail using AWS Console.

If your lightsail_instance_ca.pub file is corrupted, you can recreate it with the command

cat /var/lib/cloud/instance/user-data.txt | grep ^ssh-rsa > /etc/ssh/lightsail_instance_ca.pub

Method 2: Reover with shapshot

If you can’t SSH into the server using putty or a terminal, you need to take a snapshot of the server. Create a new lightsail server based on the snapshot. During the new server creation, you have the option to reset the PEM file. You can also enter a startup script, that gets executed when the server is started the first time.

Use the following startup script

sudo sh -c "cat /var/lib/cloud/instance/user-data.txt | grep ^ssh-rsa > /etc/ssh/lightsail_instance_ca.pub"
sudo sh -c "echo >> /etc/ssh/sshd_config" 
sudo sh -c "echo 'TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub' >> /etc/ssh/sshd_config"
sudo sh -c "echo 'CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa' >> /etc/ssh/sshd_config"
sudo systemctl restart sshd

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *