Question

Permission denied (publickey)

Posted January 2, 2020 2.9k views
Ubuntu 18.04

Yesterday i was connected to my droplet via SSH as usual, doing my work.
Then i has issues with zsh so i removed it to use the default console:

sudo apt-get --purge remove zsh

Then I exited and now I can’t connect anymore.

Via SSH I get the “permission denied” error.
Via web console it looks like the login worked (I see the welcome screen for a second), and then it goes back to the login screen again.

Right now i have no way to log in. I tried re-adding the SSH key via dashboard and it says that the SSH key is already installed, so that’s not the problem (but i knew it).

I believe that after removing zsh now i don’t have a default shell.

What could I do??

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
8 answers

Hey @stesvis just so I understand more, you deleted zsh from your machine (client)

If you readd a key via the dashboard, it does not add it to the server. You can make a snapshot, then start a new server from that snapshot and select your key. Or you can use recovery boot to add your SSH key to the file system. I can go into more details if you wish.

However, I don’t think you would have deleted your local key? Whats inside your client machines ~/.ssh folder?

If you ssh with -vvv you will see more details with what its attempting to do with authentication.

Regards

Simon
SnapShooter DigitalOcean Backups

@snapshooter yes please advise on how to recover.

In my client .ssh folder i have the idrsa public and private keys.
If I go to My Account, Security and click on Add SSH Key i can paste my public key from the local machine but then it says that the key is already registered on the authorized
keys file on the server.

And i am not surprised because i was connected 2 minutes before via SSH.

I had zsh installed on the server, but it had issues so i wanted to remove it and go back to the default bash.

I removed zsh from the server without setting the default bash first, and i believe this is the beginning of all my issues right now.

@snapshooter I ran ssh with the -vvv parameter and posted the response, but it was marked as spam.

@snapshooter why adding the SSH key again?
As the dashboard says, it’s already in the authorized_keys file.

Sorry, here’s the gist
https://gist.github.com/stesvis/ca3edb99b8874c9171572c7614bae8aa

@snapshooter so i did what you suggested:

  1. Created a snapshot of my droplet
  2. Created a droplet from that snapshot
  3. Imported my existing SSH Keys

The I tried to connect to that new droplet and I get the same result:


$ ssh root@138.197.166.58
The authenticity of host ‘138.197.166.58 (138.197.166.58)’ can’t be established.
ECDSA key fingerprint is SHA256:0aoXC4P69niNy1KVcmvEo/78Vx38Vwv7ki5yRL9+mwE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '138.197.166.58’ (ECDSA) to the list of known hosts.

root@138.197.166.58: Permission denied (publickey).

The I launched the web console and I got the login screen:
https://snipboard.io/jCHNJR.jpg

I entered the username and password.
For a second I saw this. I only had like 1 sec to take a screenshot:
https://snipboard.io/1fkA8e.jpg

And immediately it went back to here again:
https://snipboard.io/jCHNJR.jpg

I am out of options, I really don’t know how to recover this…

@snapshooter Now I created a new droplet (NOT from snapshot), and I can connect regularly with the same keys.

So there is not an issue with SSH keys. I don’t know how to troubleshoot that droplet now. I believe it’s because it does not have a default bash anymore.

  • @stesvis I think you’re going to have to boot into recovery mode.

    When you’re in recovery mode, mount the filesystem, then edit /mnt/etc/passwd
    Look for the root line and see what bash is setup.

    Should be something like

    root:x:0:0:root:/root:/bin/bash
    

For those who face the same problem. It turns out, when I reset my through chsh, I accidentally set root sh to be bash instead of /bin/bash.

To fix this:

  • Got to Recovery tab in Digital Ocean.
  • Choose Boot From Recovery ISO
  • Restart the droplet and connect to it through ssh
  • Now you are booted from recovery OS, you need to mount your harddrive, run tmux and choose 1 to Mount your hard drives.
  • Go to interactive mode
  • Change the content of /mnt/etc/passwd, change line starting with “root” to this: root:x:0:0:root:/root:/bin/bash
  • Logout, switch back to Boot from Hard Drive
  • Restart the droplet and try to connect, if credentials are okey, you will successfully login.

Hello there,

You can check our article on How to Upload an SSH Public Key to an Existing Droplet

https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/to-existing-droplet/

You can access the droplet from the DigitalOcean console and then temporary enable the PasswordAuthentication on your droplet and access the droplet with a password to upload the ssh-key.

If you haven’t created new pair of keys you’ll need to do that first.

You can enable PasswordAuthentication for your Droplet by modifying your /etc/ssh/sshd_config file. Once set to Yes restart the SSH service and connect via an SSH client for a more stable connection. You can then modify your ~/.ssh/authorized_keys file to add the appropriate public key.

This change can be made from the DigitalOcean’s console. If you’re having issues accessing the console you can then reach to our amazing support team that can help you further with this.

To enable the PasswordAuthentication follow these steps:

  1. Login to the console on the DigitalOcean website.
  2. Type sudo nano /etc/ssh/sshd_config
  3. Change PasswordAuthentication from “no” to “yes” and save the file
  4. Open a terminal on your computer and type ssh username@[hostname or IP address] or if on a Windows box use PuTTY for password login making sure authentication parameters aren’t pointing to a private key
  5. Login with a password
  6. Type sudo nano ~/.ssh/authorized_keys
  7. Paste public key text here and save the file
  8. Type sudo nano /etc/ssh/sshd_config
  9. Change PasswordAuthentication from “yes” to “no” and save the file
  10. Log out and attempt to log back in (if using PuTTY make sure you set up auth parameters to point to your private key)

You can then upload the key using this command:

ssh-copy-id -i ~/.ssh/mykey user@droplet

Hope that this helps!
Regards,
Alex