How to login into your EC2 or Lightsail AWS Linux server

A common question I get from new AWS users is “how do I log into my server?”. Another related question is “Where is my password?”. It does not matter if is a EC2 server or one provided by the Lightsail sister service, the way to connect is the same.

If you are experienced with Linux you may have used something like this:

$ ssh user@domain.com

If you are a Windows user most likely you use a third party program like PuTTY to connect to a Linux machine. In any case, you may be wondering where is the password so you can type it when prompted by the previous command.

EC2 don’t use this “tradicional” way to login. It uses a “certificate file” encoded in PEM format, that is why you need a “.pem file” lo log into your server instead of a password. Where do you get this .pem file? When you create a Linux based EC2 server, you get a screen like this:

In the case you already have some keypairs you will see something like this

For Lightsail users the screen to get the keys are in the account page:

In any case, download a new or existing key pair. This will result in a pem file in your disk. Remember the location of this file since we will need to use it later.

In order to use this pem file, you need an ssh client. In most Linux, macOS and Windows 10 and Server 2019, this is installed by default so you are good to go, but in most Windows you have to download an ssh client, for example PuTTY. The following instructions are for the standard command line version of ssh, if you use PuTTY, skip until the “Using PuTTY” section.

Using ssh

The pem file needs to have the right permissions. By default, when you download a file from the internet the permissions it have is “644”, that means that is readable by other users in your system. SSH considers that you should not store a private key with such permission, so it ask you for using this permission to “400” before using it. From the terminal, change it this way:

chmod 400 /path/to/mykey.pem

Now you are ready to log in. This is the actual ssh command you need if you server is located at ec2.ip-101.10.10.20.west1-aws.com and your key is called mykey.pem:

ssh -i mykey.pem ubuntu@ec2.ip-101.10.10.20.west1-aws.com

Note that the username my be different, in Ubuntu is usually ubuntu, but it may be root, or other, according on the Linux distribution you are login into. Here is table with some popular user names:

ec2-user or root for Amazon Linux AMI, RHEL, Fedora and SUSE, centos for CentOS and admin or root for Debian.

For other AMIs, consult the AMI creator.

Once you type enter, you may see something like this the first time you log in:

$ ssh -i mykey.pem ubuntu@ec2.ip-101.10.10.20.west1-aws.com The authenticity of host 'ec2.ip-101.10.10.20.west1-aws.com (101.10.10.20)' can't be established. ECDSA key fingerprint is SHA256:o586paLkLN9L55e7zD0vY90sXdFxOUyOcoMoadbGUnA Are you sure you want to continue connecting (yes/no)?

Answer “yes”, press <ENTER> or <RETURN> key and you are in.

Using PuTTY

If you are using Windows and don’t have ssh available, download PuTTY from this website. Since the pem file is not supported in PuTTY, you need to transform the pem file into a supported format. In oder to do this, open the program PuTTYgen, that is included with PuTTY, you can see it here:

In PuTTYgen, under “Type of key to generate”, choose RSA (if not selected), press Load and select “All files” so you can see the pem files. Once loaded, press “Save private key”. You can see all the options in this screen:

Now you have the key in the format required for PuTTY. Open PuTTY and load the key. To do this, go to the left panel an select Auth that is under Connection – SSH. Click Browse and enter the key.

Once the key is loaded, you need to put the domain and the user in this screen and you are ready to connect. Go to Connection, complete the Host name field with the username and domain as in the next screen: