Page MenuHomeVyOS Platform

Cannot connect to a newly created Amazon EC2 instance via SSH
Closed, WontfixPublicBUG


Yes, it is again. AMI bult from the latest rolling version can not get ssh public key during start up in AWS. Tested of region eu-central-1

When trying to connect with provided key pare you got a message "Unsupported authentication type"

That is the same story like for 1.1.8 images published in official repository. It's critical for AWS users, especially for newcomers.

Should we consider support of cloud-init package?


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer added subscribers: UnicronNL, syncer.

@UnicronNL can you explain right way to create 1.2 ami

I forgot to fetch commits for the latest build-ami version when submitted report.
Now I confirms that problem exists in the latest version with the last commit:

Author: Daniil Baturin <>
Date:   Fri May 11 07:11:51 2018 +0700

    T408: clean up the AMI build scripts and retarget them to 1.2.0.

It would be great if someone could build the latest version of AWS AMI.

I tried the build with 1.2.0-rc9 and rc10 with the same results. The instance boots up without issue, but rejects any login attempts with the SSH key the instance was launched with. The error it gets back suggests its not configured for key or password login, or any other method for some reason.

Also tried 1.2.0-rolling-201812080337. My best guess is that its not copying the SSH key into the system properly to allow the vyos user to login, as the system responds, accepts the username, rejects the key then disconnects with no further auth method.

I found an AMI I had built from 1.1.8 back on July 7th. I can create functional 1.1.8 instances from that, so it looks to be something unique to 1.2.0, but I can't say for sure because I don't have a working way to build 1.1.8 AMIs currently. The 1.1.8 playbooks rely on modules that have been removed from Ansible, so I would have to rewrite them or downgrade my ansible install.

I'm also experiencing the same issue with vyos-1.2.0-rolling-201904190439. I was able to create the ami using the build-ami playbooks, but when launched I could not login using the keypair. Is there a fix for this or a workaround?

dmbaturin added subscribers: Unknown Object (User), dmbaturin.Apr 20 2019, 11:45 AM

I wonder if this issue will ever stop re-occuring. Every time it happens, it's for some new reason. I think this time it may be related to ongoing work of @Unicron.

@spectre3500 I debug such issues by creating a backdoored AMI. As long as you don't share it with anyone, it's not against the rules.

This is what I do. The default config of the AMI to be created is at
You can add any pre-configured users there, here's a user "backdoor" with password "vyos" for example.

user backdoor {
    authentication {
        encrypted-password $6$fHze7nYTj$GN/it9d6fMlbQ0imM1CM3cpj3FExq8iC4P7IbtlUzUPK2BOBlevWI1qomzJ9k1.fuGlmx29LSm/St2Jcv9V53/
        plaintext-password ""

...oh, and remove "disable-password-authentication" from the SSH settings of course.

@spectre3500 Now that I think of it, did you build it with build-ami or the AWS target of the vyos-build scripts?

I wasn't aware that there was an aws target for the vyos-build scripts.

I used build-ami to create the ami. In fact I came up with the same add a password workaround you mentioned.

Is this an issue with the rolling iso or would this problem also occur with an iso built from the crux branch? I went through the headache to make one of those and just created an ami using it and build-ami, but haven't had a chance to test it yet.

build-ami is working for me if I remove disable-password-authentication from the config template and add in a password into the config template. I have come across another issue though. I was able to get it to work in us-east-1 and us-east-2, but I can't deploy into us-gov-west-1. First problem was it couldn't find a debian-jessie image but that was solved by changing the owner from 379101102735 to 256493402735. Now it's throwing an 401 when attempting to list all subnets. I'm guessing that the python code pulled from ansible is configured for a specific region or the cli command used in GovCloud is slightly different. Either way it's not working.

All you need for ssh keys to work for AMI is to add cloud-init package in configure step:

# build docker image as "vyos-builder" - follow the instruction in vyos-build
sudo docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos-builder bash
./configure --custom-package cloud-init
sudo make iso
../build-ami/vyos-build-ami http://.../vyos-live-image-amd64.hybrid.iso

If you just want to try vyos, I've built an 1.2.1 AMI(available in us, ca, eu-west-1 eu-central-1) "VyOS free (HVM) 1.2.1-2019-06-04-05-21"

I'm still having an issue with using build-ami to create an AMI in us-gov-west-1.

This works as expected

erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Aug 31 2021, 7:15 PM
erkin set Issue type to Bug (incorrect behavior).
dmbaturin renamed this task from SSH connection to AWS AMI not possible for newly created image to Cannot connect to a newly created Amazon EC2 instance via SSH.Sep 10 2021, 6:29 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin edited projects, added Invalid; removed VyOS 1.3 Equuleus (1.3.0-epa1).