Question

permission denied after creating droplet using ssh keys

Posted October 15, 2015 88.7k views
Ruby on Rails Nginx Ubuntu Security PostgreSQL

I created a new droplet using “Ruby on Rails on 14.04” and added SSH keys in stead of using root password. When I tried connecting through ssh I got these results :(

$ ssh xxx.xxx.xx.xxx
pc@xxx.xxx.xx.xxx's password: *************
Permission denied, please try again.
pc@xxx.xxx.xx.xxx's password:

Then I tried:

$ ssh root@xxx.xxx.xx.xxx
root@xxx.xxx.xx.xxx's password: 
Permission denied, please try again.
root@xxx.xxx.xx.xxx's password:

Then I tried:

$ ssh -i /path/to/.ssh/id_rsa_private_key root@xxx.xxx.xx.xxx
root@xxx.xxx.xx.xxx's password: 
Permission denied, please try again.
root@xxx.xxx.xx.xxx's password:

I’m not sure what to do at this point … can you help me?

Add a comment
bjorgvin
By:
bjorgvin
10 comments

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

10 answers
lazaronijunior September 16, 2017

Nothing at all on the internet could help me solve this. In the end what worked was to take these steps:

1 - Resetting the root password from the Digital Ocean website

2 - logging-in using the console in the Digital Ocean website (it will prompt you to choose a different pass)

3 - edit /etc/ssh/sshd_config and changing the line PasswordAuthentication no to PasswordAuthentication yes

4 - service ssh reload

5 - Then I could login from my terminal using ssh root@ipaddress and inserting the password

Reply Report
clivestrydom December 9, 2015

This was driving me nuts! NUTS! But this should help you…

BEFORE you try to SSH into server type into Command Line:

eval ssh-agent -s
ssh-add ~/.ssh/id_rsa where id_rsa is the file with your ssh key (this is the default version so chances are yours is the same. If not, change it.
ssh root@xxx.xxx.xxx and hopefully no password required Needed them to log on. (From Tutorial https://www.digitalocean.com/community/tutorials/how-to-connect-to-your-droplet-with-ssh)

Reply Report
kamalahmed November 11, 2016

I faced the same problem when I used only
ssh root@server_ip

then I solved the problem by the using in the following format:

ssh -o “IdentitiesOnly yes” -i ~/.ssh/yourprivate_id root@server-ip

Reply Report
  • redracerstorytime December 17, 2016

    What is “yourprivate_id” ?

    Reply Report
    • kamalahmed December 17, 2016

      here ‘yourprivateid’ means your private SSH key id. For example, idrsa is called private ssh id when ssh key is generated without any name and id_rsa.pub is the public key that we save in the server or digital ocean admin panel to authenticate our access using our private key, that is generally saved in ~/.ssh/ directory.

      I am not very good at explaining. if you want to learn more about ssh then you can read from the below link, and I also learnt from the below link. :)

      https://serversforhackers.com/video/creating-and-using-ssh-keys

      thanks.

      Reply Report
  • johnkennedy March 7, 2017

    This worked for me - thanks. Although I could connect to the server via Filezilla I couldn’t connect in the terminal and this solved the problem for me.

    By using the edited command ssh -o “IdentitiesOnly yes” -i ~/.ssh/yourprivate_id root@server-ip in a new terminal window (without using the remote connection option) I was able to then use the remote connection option and ssh into the server via terminal without permission denied as a root user.

    Reply Report
RadeonXRay September 17, 2018

@clivestrydom
You are a f*cking life saver! I’ve always had this stupid problem with new Droplets and Preconfigured SSH always given me “Permission denied”. I can’t believe why DO doesn’t mention this configuration for specific named keys.

Reply Report
mtcs April 1, 2016

I’ve found that using the web console and pressing # on my keyboard actually inputs a 3!

This caused me all sorts of headaches as my password contained a # and I couldn’t do much out of the web console because it threw login errors.

PuTTY works a treat if you need hashtags!

Wordpress on 14.04

Reply Report
axelpale October 10, 2016

DSA keys are not accepted by default anymore on newest Ubuntus. This might be your case. If you have id_dsa keys, you need to replace them by RSA keys. Ubuntu 16.04 uses OpenSSH 7.x, which does not allow these DSA keys due to their security issues. This issue almost drove me crazy, because I had not experienced any issues before when connecting to my droplets with ssh.

See:

Reply Report
eiiki0808 February 3, 2017

I had trouble with this for almost 2 hours. And the I stumbled across this:
http://webdesignforidiots.net/2016/02/digital-ocean-public-key-access-denied-on-existing-droplet/

Worked like a charm.

Reply Report
  • jfaithorn February 8, 2017

    I had a variation of this problem too. What worked for me was first deleting old identities using the command: ssh-add -D followed by adding my new identity. ssh-add ~/.ssh/id_rsa where id_rsa is the new identity name.

    I also hit a minor bump when adding my public ssh key to the ‘security’ section of the Digital Ocean admin area. I missed a line break when copying the key output from cat . That confused me for a good while. I ended up starting over and using using pbcopy to make sure it copied the key exactly. cat ~/.ssh/id_rsa.pub | pbcopy

    Reply Report
chongfury February 8, 2017

An easy way to ensure you can connect with public/private ssh keys when first deploying a droplet is by using an ssh config file. If you’re on a Mac, create your config file inside your ~/.ssh directory, then fill in the blanks (CAPS), below:

Host ACONNECTIONNAMEOFYOUR_CHOICE
Hostname YOUR.SERVER.IP.ADDRESS
Port 22
user root
IdentityFile ~/.ssh/PRIVATEKEY

Then in your CLI simply type in:

ssh ACONNECTIONNAMEOFYOUR_CHOICE

and you should connect. Obviously if your private key has a password on it, you’ll need to enter that password when prompted.

Hope this helps someone out there!

Reply Report
tolgahan1 July 23, 2018

This worked for me:

chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

https://www.howtogeek.com/168156/fixing-authentication-refused-bad-ownership-or-modes-for-directory/

Reply Report
AlohaMike January 18, 2019

I have had this problem with OSX, this is how I fix it.

prerequisite: you have created a rsa file and added it to the droplet.

Tip: Using finder you can hold shift command . to see hidden files. Your .ssh folder will be located at HD>Users>username>~/.ssh

  1. Check that you have the key there or in a subfolder

  2. Check that you have a config file - if not - create one - from terminal nano ~/.ssh/config or open from Finder with TextEdit, sublime, etc…

  3. Edit your ~/.ssh/config file as follows:

Host some_droplet 
 HostName 8.8.8.8
 IdentityFile ~/.ssh/id_rsa_file
 User root
 AddKeysToAgent yes
 UseKeychain yes

Notes: “Host” can be any name you want for when you login from terminal. “HostName” should be your droplets IP address. “IdentityFile” should be the file location of your Key. “User” should be root for the first time.

Tip: you can repeat the above block of code for every droplet you have, where each block needs a separate “Host” name. They can all share the same “IdentityFile” (easy way) or you can generate new keys each time.

  1. Extra step: After you login create a new user - replace newuser below with the user name you choose. “` ssh some_droplet adduser newuser #Create privileged user usermod -aG sudo newuser #Add User to Admin group rsync –archive –chown=newuser:newuser ~/.ssh /home/newuser #Copy /.ssh directory to new user for RSA keys exit

nano ~/.ssh/config #local machine

change User from root to newuser

ssh somedroplet #login as newuser
chmod 600 ~/.ssh/authorizedkeys #change file permissions

Disable ssh root login and go about your business.
Reply Report
  • AlohaMike January 22, 2019

    Extra step formatted better:

    Create privileged user

    ssh some_droplet adduser newuser

    Add User to Admin group

    usermod -aG sudo newuser

    Copy /.ssh directory to new user for RSA keys

    rsync --archive --chown=newuser:newuser ~/.ssh /home/newuser 

    exit

    on local machine change User from root to newuser

    nano ~/.ssh/config

    login as newuser

    ssh somedroplet

    change file permissions

    chmod 600 ~/.ssh/authorizedkeys

    Disable ssh root login.

    Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help