Set up a new EC2 instance. SSH kept failing with:
ec2-user@1.2.3.4: Permission denied (publickey).
I was 100% sure I had the right key. Used the same .pem file I always use.
Debugging step-by-step:
# Check verbose SSH output
ssh -vvv -i my-key.pem ec2-user@1.2.3.4The verbose output showed:
debug1: Offering public key: /Users/me/my-key.pem RSA SHA256:...
debug1: Authentications that can continue: publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/me/my-key.pem
debug3: sign_and_send_pubkey: RSA SHA256:...
Received disconnect from 1.2.3.4 port 22:11: Bye Bye
The key was being offered but rejected. I checked the server side:
# From AWS console → EC2 → Connect → Session Manager
sudo cat /var/log/auth.log | grep sshd
# Authentication refused: bad ownership or modes for file /home/ec2-user/.ssh/authorized_keysRoot cause: The .ssh/authorized_keys file had permissions 644 (world-readable). SSH rejects this as a security measure.
Fix:
chmod 700 /home/ec2-user/.ssh
chmod 600 /home/ec2-user/.ssh/authorized_keys
chown ec2-user:ec2-user /home/ec2-user/.ssh/authorized_keysSSH connected immediately.
Correct SSH directory permissions:
~/.ssh/→ 700 (owner can read/write/execute, nobody else)~/.ssh/authorized_keys→ 600 (owner can read/write, nobody else)~/.ssh/id_rsa(private key) → 600~/.ssh/id_rsa.pub(public key) → 644 is fine