Followed instructions. Setup SSH keys but server still prompts for password

November 17, 2016 172 views
Configuration Management Ubuntu 16.04

I followed these instructions: (more than once! I have repeated the process VERY carefully several times)
https://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-digitalocean-droplets

However, I get to step 5:

"However, now when you connect from a machine that shares the key pair, there will be no need to enter a password to log into the root user."

THIS IS NOT TRUE:

~ $ssh root@138.197.6.195
The authenticity of host '138.197.6.195 (138.197.6.195)' can't be established.
ECDSA key fingerprint is SHA256:QaJBHcKBwzqiHbXeNsuTS07h7m4COyU6SyVrpCG6upE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '138.197.6.195' (ECDSA) to the list of known hosts.
root@138.197.6.195's password:

password??? WHY??????

If the instructions are wrong please correct them.

5 Answers

Permissions maybe? SSH is picky about the permissions of your .ssh folder.

Try running this on your droplet:

chmod go-wrx ~
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
  • Why? I elected a one click application. This should be baked in. Otherwise it is a defective implementation on DO's part. They have a responsibility to deliver what they charge for.

Make sure you logged in to Droplet first time and changed password.

The authenticity of host '138.197.6.195 (138.197.6.195)' can't be established.
ECDSA key fingerprint is SHA256:QaJBHcKBwzqiHbXeNsuTS07h7m4COyU6SyVrpCG6upE.
Are you sure you want to continue connecting (yes/no)? yes

This could mean two things:

  1. You used ssh-keygen -R [your.ip.address.here] from tutorial (this is not a needed part).
  2. Or if you didn't used it, you login for first time. In that case login, change password, exit SSH and try again.

I would verify is configuration as it should be. Open /etc/ssh/sshd_config with any text editor:

  • sudo nano /etc/ssh/sshd_config

First locate line PubkeyAuthentication. Make sure it isn't commented (without # in front of line) and it's set to yes.
Then locate ChallengeResponseAuthentication and make sure it isn't commented and is set to no.

Important details
PubkeyAuthentication yes
ChallengeResponseAuthentication no

Save it, exit editor and restart SSH to reflect changes (if they are made):

  • sudo systemctl restart sshd

If this was problem, it should be working now

  • Make sure you logged in to Droplet first time and changed password.

    That is infuriating. The instruction state that if on checks the form "sue my sra id" one will not get a password at creation. Then they want me to "reset" the password and uplad my own certificate anyway?

    No you are wrong. that cannot be the answer. That might be a work around but it is NOT the answer.

    • This is not a answer if you use a new Droplet. On Droplet you can add SSH key to DO Control Panel, and use it on Droplet creation. On Droplet Creation page, you need to check box with name of your SSH key for it to be used.
      This is how it looks when you check that needed box:

      In that case, key will be automatically added to your Droplet and you'll not be emailed root password. So you don't need to follow this or any other tutorial for setting up SSH key, it'll be done for you.

      If you didn't used key on Droplet Creation you need to follow steps of tutorial for it.

      As your other answer, DigitalOcean is un-managed hosting provider. That means, DigitalOcean does offer you server, fully-working and connected to network (Internet).
      For every other thing, like this, DigitalOcean can't really help you, as they don't manage your servers.
      Here on community, you can get helps from mods (DigitalOcean employees) and community members. Also basically, yes, we can only guess. :D No one can't really know what is problem without looking at server or in some cases without logs. :) And no one wants to look at your server, as this is your private thing with your private data, so we can only help you resolve it yourself. :)

      In case this is bugged, Support can maybe help, but I can confirm this is not bugged. I built at least 50 droplets with SSH key and never encountered any problem. :)

    • I did check that box. so I should not have to do any of the other things

      • Then it's added, so you don't need to follow.

        If you use Linux or OS X, make sure your ssh keys are located in ~/.ssh/.
        If it's not, you can copy it there or use ssh -i location-of-key user@droplet-ip.

        You can try this from your local machine.

        • ssh user@droplet-ip -vvv

        -vvv means verbose output and will show you everything.
        If you see something like this:

        Sample output
        debug1: Next authentication method: publickey debug1: Trying private key: /home/user/.ssh/id_rsa debug3: no such identity: /home/user/.ssh/id_rsa: No such file or directory debug1: Trying private key: /home/user/.ssh/id_dsa debug3: no such identity: /home/user/.ssh/id_dsa: No such file or directory debug1: Trying private key: /home/user/.ssh/id_ecdsa debug3: no such identity: /home/user/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /home/user/.ssh/id_ed25519 debug3: no such identity: /home/user/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug1: No more authentication methods to try.

        that means it didn't find key. Maybe you'll see something other and it'll give you insight is there any problem. :)

      • -vvv helped me solve it.

        The name of the ssh key on DO must match the name of your rsa key on your local machine.

        in other services that work with ssh. I generally give it a significant name like ClientName_key.

        here I saw that it was hunting around for "testingKey"

        Thank you for your patience!

Thank you both. This all might be true. I will try these things. But the bigger issue here is whether Digital Ocean is a reliable business partner. I am following the official instructions (the are on OC's site anyway and appea written under the direction of OC)

All other information from OC becomes suspect. They have introduced a full workday delay into our process. Multiple man hours have been spent following all sorts of remedies found everywhere on the internet in part because they discharge support duties on presumably unpaid "fan" volunteers in this forum who have no accountability for our time, and certainly are not in an authoritative position to offer a proper response beyond "guessing".


"All other information from OC becomes suspect. They have introduced a full workday delay into our process. Multiple man hours have been spent following all sorts of remedies found everywhere on the internet in part because they discharge support duties on presumably unpaid "fan" volunteers in this forum who have no accountability for our time, and certainly are not in an authoritative position to offer a proper response beyond "guessing". "

I always thought the the whole point of having a forum was so users could help each other out. I think I get more support and real-time answers from forums than anywhere else.

DigitalOcean provides a totally awesome forum for users. You used it and got some quick suggestions to your problem that helped you along.

If you are going to be working with remote servers you will probably find yourself back here at some point. Stuff happens. It can be difficult to troubleshoot complex setups. There is a learning curve so it can be helpful to have a community of other techies to talk over things with.

You can also paste in the Userify script into the User Data section when booting up a droplet. This will let your droplet pull in your team's public keys from Userify servers and you won't have to mess around with it (although DigitalOcean's key deployment system works great.. there's just no automated way to do any of the other stuff that Userify does, like key removal or setting up new users or removing sudo/root for individual users after the droplet is created.)

Have another answer? Share your knowledge.