ssh-copy-id not working Permission denied (publickey).

February 6, 2017 58.8k views
DigitalOcean Ubuntu 16.04

Each time I attempt to set up my new Droplet I get stuck right here. ssh-copy-id doesn't work and so I can't get my new user login to work. I've tried some fixes and just gotten more in the weeds. It seems I'm not the only one with this problem but there are different fixes so I'm just going to copy what I'm getting here. I've also tried to copy the key manually like it's mentioned in this tutorial but still no dice... Please help!

ssh-copy-id USERNAME@IP-ADDRESS
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/USERNAME/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Permission denied (publickey).

Thanks for any help!

7 comments
8 Answers

I had trouble using ssh-copy-id for a secondary (non-root) user. ssh-copy-id uses the user's password to connect to the host. New droplets seem to have a setting that prohibits this. I'm not an expert so don't take my word for it.

I fixed it like this:

Log in as root
Edit ssh config:
sudo nano /etc/ssh/sshd_config
Change this line:
PasswordAuthentication no
to
PasswordAuthentication yes
Restart daemon:
sudo systemctl restart sshd

Do ssh-copy-id:
ssh-copy-id someuser@<my-ip>

Revert changes to ssh_config if you are security conscious and restart daemon.

I gotta say I am disappointed in most of you turning on Password Authentication is a MISTAKE DONT DO IT!

Do this instead just create your user using root then sign in as the NON ROOT user using the su userhere command. Once your signed in change directory to your default directory with the command:

cd

Then make a .ssh directory

mkdir .ssh

change to the .ssh directory

cd .ssh

Then make the file authorized_keys

nano authorized_keys

Now simply copy and past the contents of your public key to this file and save it with ctrl+w

restart ssh

sudo systemctl restart sshd

Now you can shh to your droplet with the new user

Just tested this on Ubuntu 16.04 works like a charm!

Not hard at all and you dont compromise your security! Hope I helped someone!

OH and before you forget best turn off ssh access to root to do so:

First confirm you can ssh using your new user. Then edit the /etc/ssh/sshd_config with whatever text editor you prefer and change the line PermitTootLogin yes to NO well actually just no.

sudo systemctl restart sshd

test ssh with root should fail

Is this issue fixed? Even am facing the same issue since a week. Unable to do ssh-copy-id for the new user created

I am facing the same issue and the solution provided above did not solve my problem...If anyone has fixed this issue with some other approach kindly help...

I had the same issue.

I resolved it when I realized that I was still using root when doing the ssh-copy-id for another user.

For example, I was setting this up for an EC2 instance.
My bash prompt was [root@ip-xxx-xx-x-xxx ~] and I was attempting:
ssh-copy-id -i ~/.ssh/id_rsa ec2-user@subdom.domain.com
Permission denied (publickey).

OOPS! That was the mistake. I was trying to copy the root key for the ec2-user. Doh!

Solution was to exit from root elevation, confirm that I had a key defined for ec2-user, then I did the ssh-copy-id command again. This time it was successful! Yippee!

Test the key...
ssh 'ec2-user@subdom.domain.com'
Tada! Success at last.

Oh, and another thing....
If you're trying to establish root credentials into another server, then you're violating a best practice. There is a valid security reason to not have root keys enabled. As it stands, a hacker would need to compromise the lower level access, then elevate privileges and bypass another layer of security.

That's why the config change above would work if you were trying to establish root access from another server. Basically, you would have to violate your security policy to copy the key. Creating a bypass is not recommended.

If wanna entry from starting point like no access at all to the server.

You can use access console from Droplet -> Access -> Launch Console.

Login: root
Password: Supposed to be emailed, or just use reset password and get new one.

Once you enter there follow up @mjmare method.

Log in as root
Edit ssh config:
sudo nano /etc/ssh/sshd_config
Change this line:
PasswordAuthentication no
to
PasswordAuthentication yes
Restart daemon:
sudo systemctl restart sshd

Do ssh-copy-id:
ssh-copy-id someuser@<my-ip>

Have another answer? Share your knowledge.