Note from DigitalOcean Community team: The user @intalix has provided a popular answer to this question here: https://www.digitalocean.com/community/questions/error-permission-denied-publickey-when-i-try-to-ssh?answer=44730
Recently I threw out my old linux laptop and set everything up again in my new laptop. The only trouble I have now is not being able to log in to my DO instance via ssh. This instance had one ssh key setup before and in the sshd config it had permitrootlogin set to no. So I created a new ssh key to be able to login from this new laptop.
$ ssh-keygen -t rsa -C "gitlab" -b 4096
Then added the public key this to the instance. Now I try to login
$ ssh user@server
I get asked password for this user. I am able to login using the password. This isn’t how I was logging in before. I used to type my ssh passphrase. So I thought this may be because this is a new key and I disabled password authentication in sshd config. After this, I get the error
$ ssh user@server
Permission denied (publickey)
I checked online and set the permission to .ssh folder to 700. Still I get the same error. I can access the online console of the instance, but don’t know what to do.
How do I resolve this?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
The issue is within your sshd_config
file.
Here is the ULTIMATE solution to this issue:
Log as root to your Ubuntu server
Use vim or nano to edit the contents of /etc/ssh/sshd_config
Eg. vi /etc/ssh/sshd_config
or nano /etc/ssh/sshd_config
Now go to the very bottom of the file (to the line with PasswordAuthentication
) - Change the value next to PasswordAuthentication
from no
to yes
.
It should now look like this:
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
sudo service sshd reload
With this done, you can now set up your new SSH key for your LOCAL device. To do this, you can run the following from your LOCAL device, not the server:
ssh-copy-id username@droplet.ip
(Make sure to replace username
with your username on the droplet and droplet.ip
with the full IP address of your droplet)
With this done, you should be good to go, connecting with SSH keys!
When you create a user using useradd
, you’ll need to specify their home directory or use usermod
to change it (as would be the case if the user already exists).
What I normally do is create the directories first:
mkdir -p /home/myuser/.ssh
Create the authorized_keys
file:
touch /home/myuser/.ssh/authorized_keys
Then add the user:
useradd -d /home/myuser myuser
Set proper permissions:
chmod 700 /home/myuser/.ssh
chmod 644 /home/myuser/.ssh/authorized_keys
Set ownership:
chown -R myuser:myuser /home/myuser/*
Once that’s done, you should be able to login with myuser
.
If you already have a user:
usermod -d /home/myuser myuser
and then continue with the above.
I would like to discourage people from enabling PasswordAuthentication
because it’s less secure than using an ssh key. Here is the answer you’re most likely looking for.
Short Answer: As Root, run the following commands after creating the user:
cp -r ~/.ssh /home/{new_user}/
sudo chown -R {new_user}:{new_user} /home/{new_user}/.ssh
This is basically copying over the ssh key from the root user to the new user, which I would assume the new user is for you so you won’t have to login as root. If the new user is for someone else you can either create an ssh public key for them and give it to them or have them give you their existing ssh public key and place it in their /home/{new_user}/.ssh
directory.
Easy way:
Profit!
Thank you, thank you thank you! I read this answer like a week ago, let it digest and now I followed your instructions and it worked like a charm!
When trying to ssh into my droplet I got this error “root@XXX.XXX.XXX.XXX: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).”
My issue was that I use ssh to log into various servers (git, bitbucket and other servers). I was able to resolve my problem by adding an entry to my ~/.ssh/config file.
vim ~/.ssh/config
Host XXX.XXX.XXX.XXX
IdentityFile ~/.ssh/id_rsa
Where,
XXX.XXX.XXX.XXX = droplet IP
id_rsa = the ssh key file you use
To me, works changing (Ubuntu 18.04):
sudo nano /etc/ssh/sshd_config
PermitRootLogin prohibit-password to PermitRootLogin yes
PasswordAuthentication no to PasswordAuthentication yes
then, restart ssh service:
sudo service ssh restart
Thanks!
I had the same issue and fixed it by updating the SSH config file on my local machine.
First:
nano ~/.ssh/config
Then add these lines:
Host [your droplet ip]
UseKeychain yes
AddKeysToAgent yes
IdentityFile ~/.ssh/[your private key file]
That’s it.
I do something similar.
curl http://www.domain.com/file_path/id_rsa.pub >> .ssh/authorized_keys
Hello there,
You can check our article on How to Upload an SSH Public Key to an Existing Droplet
https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/to-existing-droplet/
You can access the droplet from the DigitalOcean console and then temporary enable the PasswordAuthentication on your droplet and access the droplet with a password to upload the ssh-key.
If you haven’t created new pair of keys you’ll need to do that first.
You can enable PasswordAuthentication for your Droplet by modifying your /etc/ssh/sshd_config
file. Once set to Yes restart the SSH service and connect via an SSH client for a more stable connection. You can then modify your ~/.ssh/authorized_keys
file to add the appropriate public key.
You can then upload the key using this command:
- ssh-copy-id -i ~/.ssh/mykey user@droplet
Hope that this helps! Regards, Alex
To me, works changing (Ubuntu 18.04):
then, restart ssh service:
Thanks!
This saved me! I’ve created dozens of droplets before but never had this issue until now. Thank you so much!!!
This solution worked like a charm! thanks
@RildomarLucena That may work for other cases, but that is how to switch to password authentication, not how to fix public key authentication. Also, if you have enabled public key authentication (which is what causes the error in the question), there is no way to get in and do that solution. See my reply to thomasalwyndavi for the solution. This is a duplicate of permission denied after creating droplet using ssh keys where I found clivestrydom’s correct answer (note that you must login via
ssh **root**@xxx.xxx.xxx.xx
not user, since only root exists after droplet creation and/or is the only user that has the public key you uploaded to the droplet during creation).I have the same problem. It worked for me in one server but when I tried the same process in other server it is saying “permission denied (publickey)”. Forunderstanding, I can log into x.x.x.216 but not into x.x.x.215 . actually both servers have everything i.e config same .
can anyone say why its happening.
Your problem is that the “owner” of this instance(copy) of the “xxx-key.pem” file is set to root. All you have to do is grant ownership of the file to your current user on the system you are on. do:
sudo chmod myusername xxx-key.pem
and thats it! You will have to do this anytime you copy the file to a new system
Thank you @RildomarLucena that worked perfectly!
My setup had PasswordAuthentication set to “no”, changed to “yes” and I was able to install ServerPilot.