jtansley
By:
jtansley

Setup SSH keys but server still prompts for password?

September 19, 2012 67.2k views
Hello, I followed the SSH Keys tutorial here at DO but the server still prompts for my user password (not passphrase) when I login. I checked ~/.ssh/authorized_keys and there is only 1 line so it looks like the key copied over OK. I am asked for my user password when I use either the HTML 5 console access program or PuTTY. I am not logging in as root, but the user account has root privileges. I'm new to SSH so I apologize for not being able to explain the issue too well. I'm using Ubuntu 12.04 (server edition, no desktop). Tutorial: https://www.digitalocean.com/community/articles/how-to-set-up-ssh-keys--2
21 Answers
just type in ssh root@xxxxxx, if you setup a different key besides id_rsa just use ssh -i /path/to/key_rsa root@xxxxxxxx
  • Thank you. No one else seems to understand what we actually need

  • Hi,
    I did what you suggest, but server still asks for password. Any ideas?
    I'm using Git Bash on Win10. I've added both keys to the SSH agent, and it's running.

  • Thank you. worked perfect just needed to edit path to my key

The DigitalOcean control panel SSH Keys are only for the root user. They enable you to log into your account as root, without the root password email. You can then create a new sudoer.

Logging in as the new user, even one that can use sudo, however, will still require a password.
Sorry, after generate a ssh key by DO panel, can anybody explain how to connect to the server (ie by putty) without using the root password but using the recent ssh key certificate?

I am having a similar issue to the author of opening post.

Followed these directions: https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04

Have added a new user to the server and added .ssh/authorized_keys . When I login with this new user I am still required to input password.

I would like to completely disable passwords and just use ssh. Does anyone know what the issue may be?

by Justin Ellingwood
When you start a new server, there are a few steps that you should take every time to add some basic security and give you a solid foundation. In this guide, we'll walk you through the basic steps necessary to hit the ground running with Ubuntu 14.04.

Anyone here using DSA keys and a Ubuntu 16.04 droplet (with OpenSSH 7.x by default) should note that DSA keys (pubkey starting with "ssh-dss") are not accepted by default anymore. This issue caused problems very similar to ones described in the original question. This is understandable because if the keys are not accepted, the ssh reverts back to asking the password.

See:

Thank you for the information! This is very helpful.
This is a bit confusing for me, as I am considering setting up an account. Does this mean DigitalOcean accounts have a designated user (root) who can log in without password (after ssh keys are setup), and all other accounts after properly setting up ssh keys still have to provide password to login?
We never login to customer accounts.

This is purely a preference for customers.

You can either have your root password emailed to you, which we then highly recommend you change immediately as email isn't the most secure form of communication or you can add an SSH key into the control panel and use that to launch virtual servers.

When you use an SSH key to launch a virtual server we do not email you a root password and instead you use the secure key to connect to the server directly as root.

Thanks
The SSH Key management in the control panel is used during new droplet creation.

If you add an SSH Key to the control panel after your server is created it will not update an existing virtual server.

When you create a new server however you can select the SSH key and it will be installed for the root user instead of having a root password generated.
i think i understand, if i first generate a ssh key, then when i create a droplet i can use it, and then if i use DO console (on Chrome), i can access with ssh console without having the root password.
but any access with putty will normally need the password too.
that is?
Yes that is how it works for droplet creation however the console is just like connecting a keyboard and monitor to an actual server so it doesn't operate on SSH keys.

In this case you would need to set a root password and use that for access, which is what you should do right after you login.

In your SSHd configuration you can set that root is only allowed to login using SSH keys while still allowing a root passwd to be typed in from console.

PermitRootLogin without-password

Is the setting you will want to enable but you want to make sure that your SSH keys are working correctly as that will then no longer allow root to connect from the internet using a login and pw.
Thank you Edward,
your approach works fine.
But it is a little bit too overkill.
I tried approach which is helped me with github
I created file "config" in ssh folder and added
Host xxxxx
Hostname xxxxx
IdentityFile path/to/key_rsa
but it doesn't work for DO :(
Are there any workaround?
I found the answer :)
Need to add one important string to config file.
User root
and then everything works fine with ssh root@xxxxxx

Each next connection require generate a new ssh-key.
Why?

  • Hi! It's not entirely clear what you're asking. Could you open a new question with all of the information about your own situation?

I had this problem when I created a new droplet. I had existing keys from previous droplets that were shown in the "Add SSH Keys (Optional)" section of the Create Droplet web interface. HOWEVER, I did not know I had to click them in order to enable them for the new droplet. I figured since they were shown that they were there. Upon closer inspection they did look kind of greyed out.

If you are using MacOSX:

sudo vi /etc/ssh_config

You should then edit these 2 lines to say:

PubkeyAuthentication yes
RSAAuthentication yes

In case you might be using wrong file permissions on the server you should check those, whereas user is the user with whom you want to login:

chown -R user:user .ssh
chmod -R .ssh
chmod 600 .ssh/authorized_keys

Visit meshfields.de for more great tips and tutorials.

@nottinhill -- your answer fixed it for me, it was a files permission error after an apt-get update/upgrade cycle.

If you can't figure out, why you're not able to login via ssh try to debug it with command:
ssh -v username@xxx.xx.xxx.xxx

My Issue was,

although I added key from admin panel (https://cloud.digitalocean.com/settings/security) there was no such a key in ~/.ssh/autherized_keys

So I manually added that.

Possible it helps:

All the directories starting from root and up to the .ssh directory in your home directory must not have write permission for either 'group' or 'other'

Do:

chmod g-w,o-w ~/.ssh
chmod g-w,o-w ~./ssh/authorized_keys

http://superuser.com/questions/431911/ssh-asking-for-password-for-one-user-and-not-another

Can I login with only key pairs with my sudo user (not root user)? And if yes, how?

When I created the droplet I connected my previously added keys by checking the checkbox under "Add your SSH keys". When I logged in as root it worked fine with the added keys. I added a new sudo user, switched to that account and added the public key to the sudo user (password free private key).

adduser newuser
usermod -aG sudo
su - newuser
mkdir ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorizedkeys
Inserted public key
chmod 600 ~/.ssh/authorized
keys
chown newuser -R ~/.ssh

But when I do the below command:
sudo nano /etc/ssh/sshd_config
The console now asks for password (the keys are password free).

What's wrong??

Have another answer? Share your knowledge.