Error Permission denied (publickey) when I try to ssh

March 16, 2017 185.9k

DigitalOcean Debian

By:

animesh

Note from DigitalOcean team:

User @intalix has provided a popular answer to this question here: https://www.digitalocean.com/community/questions/error-permission-denied-publickey-when-i-try-to-ssh?answer=44730

Recently I threw out my old linux laptop and set everything up again in my new laptop. The only trouble I have now is not being able to log in to my DO instance via ssh. This instance had one ssh key setup before and in the sshd config it had permitrootlogin set to no. So I created a new ssh key to be able to login from this new laptop.

$ ssh-keygen -t rsa -C "gitlab" -b 4096

Then added the public key this to the instance. Now I try to login

$ ssh user@server

I get asked password for this user. I am able to login using the password. This isn't how I was logging in before. I used to type my ssh passphrase. So I thought this may be because this is a new key and I disabled password authentication in sshd config. After this, I get the error

$ ssh user@server
Permission denied (publickey)

I checked online and set the permission to .ssh folder to 700. Still I get the same error. I can access the online console of the instance, but don't know what to do.

How do I resolve this?

1 comment

arpokuri March 28, 2018
I have the same problem. It worked for me in one server but when I tried the same process in other server it is saying "permission denied (publickey)".
Forunderstanding, I can log into x.x.x.216 but not into x.x.x.215 . actually both servers have everything i.e config same .

can anyone say why its happening.

Log In to Comment

16 Answers

intalix July 18, 2018

the issue is within : sshd_config file

here is the ULTIMATE solution:

Log as as a root to you Ubuntu server
vi /etc/ssh/sshd_config

Now go to very bottom:
And change the value from "no" to "yes".

It should look like this:

Change to no to disable tunnelled clear text passwords

PasswordAuthentication yes

service sshd reload

to take effect.

Now you can simply a key using following command from your LOCAL machine (aka laptop etc)

So Open new terminal window and do NOT log into server, simply put this command:

ssh-copy-id john@serverIPAddress

(Replace john with your username).

you should be go to go

kaiteN August 27, 2018

man.. im speechless..
I've been having an ssh problem with rsync on a droplet for months .. you saved me! thank you so much!
- intalix October 10, 2018
  
  glad I could help :)
geowildcat August 30, 2018

This solved my problem, thanks!
hdmark August 31, 2018

THANK YOU SO MUCH!!!! i've been on this for hours
- intalix August 31, 2018
  
  I'm glad I could help
paul9d06e76db817be320f88ba September 18, 2018

Worked, thanks!
drhack September 23, 2018

Thank you
gustavolee October 9, 2018

you're a life saver!
- intalix October 10, 2018
  
  glad to hear :)

jtittle1 March 16, 2017

When you create a user using useradd, you'll need to specify their home directory or use usermod to change it (as would be the case if the user already exists).

What I normally do is create the directories first:

mkdir -p /home/myuser/.ssh

Create the authorized_keys file:

touch /home/myuser/.ssh/authorized_keys

Then add the user:

useradd -d /home/myuser myuser

Set proper permissions:

chmod 700 /home/myuser/.ssh

chmod 644 /home/myuser/.ssh/authorized_keys

Set ownership:

chown -R myuser:myuser /home/myuser/*

Once that's done, you should be able to login with myuser.

If you already have a user:

usermod -d /home/myuser myuser

and then continue with the above.

kulishovnpogdps June 27, 2018

Easy way:

Connect to VNC (droplets>your droplet>Access>button "Launch Console")
Authenticate with your login and pass
Open ssh config (vim /etc/ssh/sshd_config)
Insert this string "PasswordAuthentication yes "
Save config
Reboot ssh (service ssh restart)
Try connect from your local machine
Optionally add ssh-keys

Profit!

bwainainamwangi September 17, 2018

This worked for me. I can now be able to log in using password.

Thanks

animesh March 20, 2017

@jtittle
I have done all the above steps in my local machine and I still get the same error.

Permission denied (publickey)

Should this be done in my DO instance? If so, I remember seeing a authorized_keys file in the .ssh folder with some contents already presumably from the first time setup.

Should I append my publickey onto the authorized_keys file in the DO instance?

jtittle1 March 20, 2017

@animesh

Your public key needs to be in the authorized_keys file on your Droplet, while the private key needs to be on your local PC/Mac. The steps I provided above should be done on the Droplet.

I wrote up a full guide below (which is an expanded version of what I posted in my previous response), here:

https://www.digitalocean.com/community/questions/setting-up-ubuntu?answer=34263
- animesh March 24, 2017
  
  Thanks @jtittle, once I copied the public key, I was able to login properly. Thanks for the instructions for the next time.
  
  Cheers
  Animesh
  
  jtittle1 March 24, 2017
  
  @animesh
  
  No problem at all, glad to hear you were able to get it working!
  
  masonneutron July 9, 2017
  
  Hi, where did you copy the public key to?
  
  animesh July 10, 2017
  
  Hi
  
  I copied the pub key into the authorized_keys file in ~/.ssh folder on the droplet.
  
  atpnet August 19, 2017
  
  Hi,
  I am having the same problem. How did you manage to copy the authorized_keys file in the ~/.ssh droplet folder. I have been trying but no results so far.
  
  zaneakarl September 18, 2017
  
  how did you get to the ~/.ssh folder on the droplet if you couldn't ssh into the droplet originally?

animesh September 18, 2017

I couldn't get into it.

Then I tried opening the web console from digitalocean dashboard and pasting it there. The problem was that it is not possible to paste text onto the web console.

Luckily for me, I was able to copy the key from my another computer (mouse/keyboard connected via synergy) and paste it into a file tmp and the did:

cat tmp >> .ssh/authorized_keys

Immediately I was able to log into the droplet.

Now, thinking back I don't really remember how I was able to paste the key into the tmp file in the first place. I checked the command history and am not able to find how I did it. Sorry.

If I find it, I will update it here.

zaneakarl September 18, 2017

Shoot, well thanks for trying anyway.
IssueBased October 10, 2017
Your solution worked for me. To add the "tmp" file. I uploaded my id_rsa.pub with the wget command. i.e.:

wget http://www.domain.com/file_path/id_rsa.pub

then I used your command:

cat is_rsa.pub >> .ssh/authorized_keys

Thanks!

Mamaer2016 November 14, 2017

I do something similar.

curl http://www.domain.com/file_path/id_rsa.pub >> .ssh/authorized_keys

fkaufusi December 9, 2017

From your local machine, run the ssh command: ssh root@your-droplet-ip

thomasalwyndavi December 21, 2017

I've wasted time on this issue on three seperate occasions. I am about 20 minutes away from leaving DigitalOcean for good.

1) If web UI console is going to be the only reliable way to boot into a box after password reset, add paste functionality.
2) I can't put my finger on it, but I believe the web UI pw reset breaks more things then it fixes, ssh with a key is a struggle to get working

Ahh I'm switching now.

jamesawharton January 27, 2018

I've had DO for years and never had a problem like this. Come to think of it, I've been using Linux since the late 90s... and I've never had such a hard time. I half want to just delete my droplet and start from scratch. What a crap-show. (Yes, I'm experiencing the same problem)

marvynthewall December 29, 2017

Hi, just solve this issue with the same method above.
1) open with web UI console
2) wget https://xxxxxxx
3) cat idrsa.pub > .ssh/authorizedkeys

There seems to be some problem with the setup of Droplet.
The .ssh/authorizedkeys wasn't correct originally.
The "vim -d idrsa.pub .ssh/authorized_keys" said they are different.
then do the third command.
and everything works.

hope this helps.

northnw February 15, 2018

For others in future, if nothing above works, another way to try:

Have existing user, preferably root, create a file 'authorized_keys' on local machine, and copy the Public Key (.pub) of the new user into it in a text editor.
If root, then modify and run this command:
scp -i /home/MYUSER/.ssh/id_rsa /home/MYUSER/Documents/authorized_keys root@123.123.123.123:/home/NEWUSER/.ssh/authorized_keys
Of course, make sure that all the permissions and directories are properly created with proper permissions, etc., etc.,

One helpful tip with any SSH logins is to include -vT in the command, this will show you the entire connection/negotiating process and many times will point out issues. An example:

ssh -i ~/.ssh/id_rsa -vT root@123.321.123.321

fezable February 26, 2018

Try running ssh-add on your client machine.

barisduzenli April 17, 2018

When I write chown -R myuser:myuser /home/myuser/* to command line
I get a warning below.
chown: cannot access '/home/myuser/*': No such file or directory

Thank you

tungmeo May 13, 2018

[deleted]

vbotka July 3, 2018

FWIW. In my case the error "Permission denied (publickey)." was caused by non-existent shell in the /etc/passwd for the particular user (/usr/local/bin/bash in FreeBSD and bash was not installed). When I changed the shell to /bin/sh (chsh -s /bin/sh user) I was able to ssh to this account. HTH.

davidbonacherac27179f10f0a August 20, 2018

Easiest solution is provided by @intalix .
I tried to copy paste through the web console but the text encoding was totally messed up.
Also on a user point of view, I thought that adding my ssh key into my account security settings was enough to add it to the authorized list. But it doesnt.

smartinfra September 9, 2018

Try:
chmod 600 ~/.ssh/xxidrsa

It should work

Have another answer? Share your knowledge.