Related

Would like to move all old files and old domain to new domain. How? Question Question
Volume on TOR1 datacenter Question Question

Question

Error Permission denied (publickey) when I try to ssh

Posted March 16, 2017 1.1m views
DebianDigitalOcean

Note from DigitalOcean Community team:
The user @intalix has provided a popular answer to this question here: https://www.digitalocean.com/community/questions/error-permission-denied-publickey-when-i-try-to-ssh?answer=44730

Recently I threw out my old linux laptop and set everything up again in my new laptop. The only trouble I have now is not being able to log in to my DO instance via ssh. This instance had one ssh key setup before and in the sshd config it had permitrootlogin set to no. So I created a new ssh key to be able to login from this new laptop.

$ ssh-keygen -t rsa -C "gitlab" -b 4096

Then added the public key this to the instance. Now I try to login 

$ ssh user@server

I get asked password for this user. I am able to login using the password. This isn’t how I was logging in before. I used to type my ssh passphrase. So I thought this may be because this is a new key and I disabled password authentication in sshd config. After this, I get the error

$ ssh user@server
Permission denied (publickey)

I checked online and set the permission to .ssh folder to 700. Still I get the same error. I can access the online console of the instance, but don’t know what to do.

How do I resolve this?

Add a comment
animesh
By:
animesh
edited by MattIPv4

Related

Would like to move all old files and old domain to new domain. How? Question Question
Volume on TOR1 datacenter Question Question
7 comments
  • arpokuri March 28, 2018
    Reply Report

    I have the same problem. It worked for me in one server but when I tried the same process in other server it is saying “permission denied (publickey)”.
    Forunderstanding, I can log into x.x.x.216 but not into x.x.x.215 . actually both servers have everything i.e config same .

    can anyone say why its happening.

  • RildomarLucena November 27, 2018
    Reply Report

    To me, works changing (Ubuntu 18.04):

    sudo nano /etc/ssh/sshd_config
PermitRootLogin prohibit-password to PermitRootLogin yes 
PasswordAuthentication no to PasswordAuthentication yes

    then, restart ssh service: 

    sudo service ssh restart

    Thanks!

  • maamediahouseads January 9, 2019
    Reply Report

    This solution worked like a charm! thanks

  • duncanmm June 6, 2019
    Reply Report

    Thank you @RildomarLucena that worked perfectly!

    My setup had PasswordAuthentication set to “no”, changed to “yes” and I was able to install ServerPilot.

  • andrewjensen90 July 30, 2019
    Reply Report

    This saved me! I’ve created dozens of droplets before but never had this issue until now. Thank you so much!!!

  • Show 2 more comments

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
32 answers
intalix July 18, 2018

The issue is within your sshd_config file.

Here is the ULTIMATE solution to this issue:

  1. Log as root to your Ubuntu server

  2. Use vim or nano to edit the contents of /etc/ssh/sshd_config
    Eg. vi /etc/ssh/sshd_config or nano /etc/ssh/sshd_config

  3. Now go to the very bottom of the file (to the line with PasswordAuthentication) - Change the value next to PasswordAuthentication from no to yes.
    It should now look like this:

    # Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

  4. Save the file and then run the following command to reload the SSH config:
    sudo service sshd reload

With this done, you can now set up your new SSH key for your LOCAL device.
To do this, you can run the following from your LOCAL device, not the server:

ssh-copy-id username@droplet.ip

(Make sure to replace username with your username on the droplet and droplet.ip with the full IP address of your droplet)

With this done, you should be good to go, connecting with SSH keys!

edited by MattIPv4
Reply Report
jtittle1 March 16, 2017

@animesh

When you create a user using useradd, you’ll need to specify their home directory or use usermod to change it (as would be the case if the user already exists).

What I normally do is create the directories first:

mkdir -p /home/myuser/.ssh

Create the authorized_keys file:

touch /home/myuser/.ssh/authorized_keys

Then add the user:

useradd -d /home/myuser myuser

Set proper permissions:

chmod 700 /home/myuser/.ssh

chmod 644 /home/myuser/.ssh/authorized_keys

Set ownership:

chown -R myuser:myuser /home/myuser/*

Once that’s done, you should be able to login with myuser.

If you already have a user:

usermod -d /home/myuser myuser

and then continue with the above.

Reply Report
  • luminexdesign February 11, 2019

    That was the ticket. I was following digital oceans tutorial for setting up a new user. The problem was folder ownership. All I had to do was chown -R myuser:myuser /home/myuser/* to the folder that was already created by adduser.

    Reply Report
  • Vailet August 15, 2019

    It should be chown -R myuser:myuser /home/myuser/, without the asterisk

    Reply Report
oestrada1001 May 25, 2020

I would like to discourage people from enabling PasswordAuthentication because it’s less secure than using an ssh key. Here is the answer you’re most likely looking for.

Short Answer:
As Root, run the following commands after creating the user:

  1. cp -r ~/.ssh /home/{new_user}/
  2. sudo chown -R {new_user}:{new_user} /home/{new_user}/.ssh

This is basically copying over the ssh key from the root user to the new user, which I would assume the new user is for you so you won’t have to login as root. If the new user is for someone else you can either create an ssh public key for them and give it to them or have them give you their existing ssh public key and place it in their /home/{new_user}/.ssh directory.

Reply Report
  • a6 July 11, 2020

    This should be the accepted answer.

    Reply Report
  • raynerhoward December 10, 2020

    From the docs https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04

    Step 5 — Enabling External Access for Your Regular User

    rsync --archive --chown=sammy:sammy ~/.ssh /home/sammy

    Replace sammy with your username. This allows you to connect to your Ubuntu 18.04 droplet as user rather than root.

    You still need to tell PuTTY or ssh command line the location of your private key.

    This is the recommended secure way to do it. From what I’ve been able to gather, you do not want to enable password authentication unless you’re just messing around and learning. Don’t enable password authentication in any kind of production environment.

    Initial Server Setup with Ubuntu 18.04
    by Justin Ellingwood
    When you first create a new Ubuntu 18.04 server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent...
    Reply Report
kulishovnpogdps June 27, 2018

Easy way:

  1. Connect to VNC (droplets>your droplet>Access>button “Launch Console”)
  2. Authenticate with your login and pass
  3. Open ssh config (vim /etc/ssh/sshd_config)
  4. Insert this string “PasswordAuthentication yes ”
  5. Save config
  6. Reboot ssh (service ssh restart)
  7. Try connect from your local machine
  8. Optionally add ssh-keys

Profit!

Reply Report
sherlockmac November 7, 2018

I had the same issue and fixed it by updating the SSH config file on my local machine.

First:

nano ~/.ssh/config

Then add these lines:

Host [your droplet ip]
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/[your private key file]

That’s it.

Reply Report
Mamaer2016 November 14, 2017

I do something similar.

curl http://www.domain.com/file_path/id_rsa.pub >> .ssh/authorized_keys

Reply Report
northnw February 15, 2018

For others in future, if nothing above works, another way to try:

  1. Have existing user, preferably root, create a file ‘authorized_keys’ on local machine, and copy the Public Key (.pub) of the new user into it in a text editor.

  2. If root, then modify and run this command:
    scp -i /home/MYUSER/.ssh/id_rsa /home/MYUSER/Documents/authorized_keys root@123.123.123.123:/home/NEWUSER/.ssh/authorized_keys

  3. Of course, make sure that all the permissions and directories are properly created with proper permissions, etc., etc.,

One helpful tip with any SSH logins is to include -vT in the command, this will show you the entire connection/negotiating process and many times will point out issues. An example: 

ssh -i ~/.ssh/id_rsa -vT root@123.321.123.321
Reply Report
smartinfra September 9, 2018

Try:
chmod 600 ~/.ssh/xxidrsa

It should work

Reply Report
RildomarLucena November 27, 2018

To me, works changing (Ubuntu 18.04):

sudo nano /etc/ssh/sshd_config
PermitRootLogin prohibit-password to PermitRootLogin yes 
PasswordAuthentication no to PasswordAuthentication yes

then, restart ssh service: 

sudo service ssh restart

Thanks!

Reply Report
ziczaczom June 20, 2019

When trying to ssh into my droplet I got this error
root@XXX.XXX.XXX.XXX: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).”

My issue was that I use ssh to log into various servers (git, bitbucket and other servers).
I was able to resolve my problem by adding an entry to my ~/.ssh/config file.

vim ~/.ssh/config

Host XXX.XXX.XXX.XXX
  IdentityFile ~/.ssh/id_rsa

Where,
XXX.XXX.XXX.XXX = droplet IP
id_rsa = the ssh key file you use
Reply Report
Previous 1 2 3 4 Next
Load More Answers

Related

Looking for something else?

Ask a new question Search for more help