I can't connect to my Instance via SSH
You may need certain IAM permissions to carry out some actions described on this page. This means:
- you are the Owner of the Scaleway Organization in which the actions will be carried out, or
- you are an IAM user of the Organization, with a policy granting you the necessary permission sets
When connecting to your Instance via SSH, you might encounter connection issues. This page shows you the different errors messages you might get and how to deal with each of them.
Permission denied (publickey)
You may try to connect to your Instance and see a message like the following:
marie-curie:/# ssh root@51.15.40.150Permission denied (publickey)
In this case, the Instance rejected your attempt to connect. There is most probably a problem with the SSH key pair - either the public key on the Instance or the private key on your local machine, or both.
Check that the Instance has the correct public key
When you create your Instance, check step 6 of the creation wizard and make sure you are uploading a public key to which you have the corresponding private key on your local machine:
- You can view and manage your public SSH keys from the credentials section of the console.
- Credentials are specific to each Project of your Organization.
- If you add a new public key to your project credentials after creating a new Instance, it will not automatically be uploaded to the existing Instance. Scaleway only uploads the public SSH keys specified at the time of the Instance’s creation. To add a new public SSH key after that point, you will need to connect to your Instance and add the additional public key yourself. Public keys are stored by default in
~/.ssh
with a filename similar toid_rsa.pub
Check that you have the correct private key on your local machine
To connect to your remote Instance from your local machine, your local machine must have the corresponding private key to the Instance’s public key.
On Linux / Mac
By default, your SSH keys are stored on your local machine in the hidden .ssh
folder of the home or root directory.
-
Navigate to the directory on your local machine as follows:
cd ~/.ssh -
List all the keys in the directory as follows:
lsYou should now see a list of all your keys. Public keys should have the
.pub
suffix, private keys do not have this suffix. -
Use
cat <filename>
to view the contents of a public key file. Alternatively use your favourite text editor, e.g.nano <filename>
.Check that you have the corresponding private key to the public key you uploaded to your Instance.
On Windows
Check that you uploaded the correct public key to PuTTY:
- Open PuTTY.
- Navigate to Connection>SSH>Auth in the side menu.
- Check the file and path for the Private key file for authentication, using Browse to replace it if necessary.
Warning: Remote host identification has changed
You may try to connect to your Instance and see a message like the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that a host key has just been changed.The fingerprint for the ECDSA key sent by the remote host isSHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.Please contact your system administrator.Add correct host key in /home/marie-curie/.ssh/known_hosts to get rid of this message.Offending ECDSA key in /home/marie-curie/.ssh/known_hosts:24 remove with: ssh-keygen -f "/home/marie-curie/.ssh/known_hosts" -R "51.15.40.150"ECDSA host key for 51.15.40.150 has changed and you have requested strict checking.Host key verification failed.
This may happen if you are connecting to a newly created Instance that has a flexible IP address you previously used to connect to a different Instance.
The warning message itself tells you how to solve this problem, in the following extract:
Add correct host key in /home/marie-curie/.ssh/known_hosts to get rid of this message.Offending ECDSA key in /home/marie-curie/.ssh/known_hosts:24 remove with: ssh-keygen -f "/home/marie-curie/.ssh/known_hosts" -R "51.15.40.150"
-
Execute the following command in the terminal of your local machine, replacing the path and IP address with those shown in your own error message:
ssh-keygen -f "/home/marie-curie/.ssh/known_hosts" -R "51.15.40.150"This deletes the key fingerprint from your
known_hosts
file. You should see a message similar to:# Host 51.15.40.150 found: line 24/home/marie-curie/.ssh/known_hosts updated.Original contents retained as /home/marie-curie/.ssh/known_hosts.old -
Try to connect to your Instance via SSH again. This time, the connection should be successful.
Check that the correct public key is installed on your Instance
You must upload the content of the public part of the SSH key pair to the Scaleway console. The public key information is transferred to your Instance during the boot process. You can then connect and authenticate from your local machine (where the private key is) to the remote Instance (where the public key is).
- Log into the Scaleway console, and navigate to the Credentials tab of your Project Dashboard:
- Scroll down to the SSH Key section, and click Add a new SSH key.
- Paste the content of the public key (which you copied in the previous step) into the pop-up box, and optionally add a description. Then click Add a SSH key.
- Reboot your Instance or run
scw-fetch-ssh-keys --upgrade
to download the new key onto the Instance. You will now be able to connect to your Instances via SSH
Do not edit the authorized_keys
file on your Instance manually. All content in this file is overwritten during the boot process of the Instance. If you want to add SSH keys to it, upload them to the Scaleway console.
If you have any difficulties connecting to an Instance after uploading a new public SSH key to your Project, try the following:
- If you cannot connect to your Instance at all via SSH, reboot your Instance from the console and try again.
- If you can connect to your Instance using a previously uploaded SSH key but not the new one, go ahead and connect to your Instance with the old key. Once connected, run the
scw-fetch-ssh-keys --upgrade
command, which launches a script on your Instance to update your SSH keys. You can then check that the new key has been added to theauthorized_keys
file (~/.ssh/authorized_keys
). Note that this command works only for Instances. - For further information, refer to the SSH connection troubleshooting documentation.