aftersox
By:
aftersox

Fresh install of Ubuntu 16.04. SSH error: Permission denied (publickey).

February 10, 2017 676 views
Security Ubuntu 16.04

I wanted a fresh start for a project idea. I just rebuilt my droplet with the Ubuntu 16.04.1 x64 image. I received the root password in my email. I wanted to SSH into the server, so I removed the hostname from my knownhosts (in this case, I just deleted my knownhosts file). Every time I attempt to log in I get the message "Permission denied (publickey)."

I've tried to do some research on this message, and I don't understand what I need to do to fix it. I found I can log in to the server using the console on the DO management page, but that console is very laggy. I'd prefer to use my native console. Any pointers?

jfagan@waxball:~/.ssh$ ssh root@mydomain.com
The authenticity of host 'mydomain.com (123.456.789.123)' can't be established.
ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'mydomain.com,123.456.789.123' (ECDSA) to the list of known hosts.
Permission denied (publickey).
2 Answers

@aftersox

If you received a root password via e-mail, then an SSH Key was not setup on the Droplet when you deployed it, thus you'd need to login as root and add the key after the fact by pasting in your public key to:

~/.ssh/authorized_keys

If this doesn't exist, as root, you can run:

mkdir -p ~/.ssh
touch ~/.ssh/authorized_keys

and then set proper permissions on the directory and file by running:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

You would then edit the authorized_keys file using:

nano ~/.ssh/authorized_keys

and then paste in your public SSH key (which should start with ssh-rsa in most cases).

Once your public key is in place, you should be able to login from your terminal (on a Mac) or PuTTy (on Windows) using:

ssh root@DROPLET_IP -i /path/to/private_key

Where DROPLET_IP = the public IP of your Droplet and -i defines the path to your private key file.

  • Thanks for your help. I used the console on the Digital Ocean site, but it does not allow me to copy and paste so I copied by id_rsa.pub to Dropbox and created a public link to it.

    curl -L -o tempkey 'https://dl.dropbox.....'
    cat tempkey >> .ssh/authorized_keys
    

    I can log in with my native terminal now.

When spinning up a new machine there is a section called "Add your SSH Keys". Click "New SSH key" and copy the contents of your public key. For example, if your key is named id_rsa then you need to copy the id_rsa.pub file contents into the SSH key content section. Then give the key a unique name you can use to identify it. Click the checkbox for that key and Digital Ocean will make sure that the root user has this key setup after the machine is started up.

NOTE: If you copy and paste the contents of this file from a GUI, it can sometimes copy invisible line breaks and this will break the functionality of your key. I find using the cat command from the command line interface can fix this.

If this doesn't fix it for you then you may also need to check 1) if you have an ~/.ssh/config file on your local machine and 2) if your ~/.ssh/config file on your local machine has any references to the host you are trying to connect to.

  • Thanks for the reply. I've added my public key to Digital Ocean. I'll add my other public keys as well.

    I don't see the checkbox you mention about the key though.

    • @aftersox

      When you go to create a Droplet, under "Select additional options" you'll see the heading "Add your SSH keys."

      You'll see a button that will allow you to add a public SSH key or, if you already have keys added, you'll see checkboxes that you can tick. If you didn't have any keys setup when deploying the droplet and you didn't add one by clicking the button during creation, then you wouldn't have seen anything other than the button.

      You won't see the checkboxes if you don't have any keys and you can only add SSH Keys when you first create a Droplet (if you re-image it, you won't be able to add SSH Keys and will have to add them manually).

Have another answer? Share your knowledge.