Tag: Lightsail

  • How to enable root ssh in Amazon Lightsail instance

    How to enable root ssh in Amazon Lightsail instance

    Amazon lightsail instances do not allow ssh root access by default. You have to log in as user “ubuntu” or “ec2-user”, then use the command “sudo” to become user root. This is done for security. There are some circumstances where you need to enable direct SSH login to lightsail server.

    How to enable root ssh in ubuntu lightsail instgance

    Login as user ubuntu, then edit the file

    sudo vi /root/.ssh/authorized_keys 
    

    In the file, you will notice the default ssh key has already been added. But in the front the line, you have the following string

    no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10" 
    

    You need to remove this text, so you have the ssh key remaining in the file. SSH public key starts with the text ssh-rsa.

    Now you should be able to log in to the server with SSH user root and default ssh key file (pem file).

    Back to Amazon Lightsail

  • Amazon Lightsail Log in failed – CLIENT_UNAUTHORIZED

    Amazon Lightsail Log in failed – CLIENT_UNAUTHORIZED

    When trying to log in to Amazon Lightsail instance, I got the error

    Log in failed. If this instance has just started up, try again in a minute or two.
    CLIENT_UNAUTHORIZED [769]
    Amazon Lightsail connect failed

    This lightsail refused to connect error happens because when you update the system, you replaced the default /etc/ssh/sshd_config file provided by Amazon AWS.

    To fix the error, connect to the Lightsail server using SSH (terminal on Linux/Mac, putty on windows), edit the file

    vi /etc/ssh/sshd_config

    At the end of the file, add the following 2 lines

    TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub
    CASignatureAlgorithms +ssh-rsa

    Restart ssh service

    systemctl restart ssh

    Now you should be able to login to Amazon Lightsail using AWS Console.

    If your lightsail_instance_ca.pub file is corrupted, you can recreate it with the command

    cat /var/lib/cloud/instance/user-data.txt | grep ^ssh-rsa > /etc/ssh/lightsail_instance_ca.pub
    

    Method 2: Reover with shapshot

    If you can’t SSH into the server using putty or a terminal, you need to take a snapshot of the server. Create a new lightsail server based on the snapshot. During the new server creation, you have the option to reset the PEM file. You can also enter a startup script, that gets executed when the server is started the first time.

    Use the following startup script

    sudo sh -c "cat /var/lib/cloud/instance/user-data.txt | grep ^ssh-rsa > /etc/ssh/lightsail_instance_ca.pub"
    sudo sh -c "echo >> /etc/ssh/sshd_config" 
    sudo sh -c "echo 'TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub' >> /etc/ssh/sshd_config"
    sudo sh -c "echo 'CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa' >> /etc/ssh/sshd_config"
    sudo systemctl restart sshd