Question

ssh failed Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Posted July 1, 2016 446.2k views
DigitalOcean

Note from DigitalOcean Community team:
The user @intalix has provided a popular answer to a very similar question on setting up SSH keys here: https://www.digitalocean.com/community/questions/error-permission-denied-publickey-when-i-try-to-ssh?answer=44730

ssh -v  root@xx.xx.xx.xxx
OpenSSH_6.9p1, LibreSSL 2.1.7
debug1: Reading configuration data /Users/frank_szn/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 45.55.20.113 [45.55.20.113] port 22.
debug1: Connection established.
debug1: identity file /Users/frank_szn/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/frank_szn/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/frank_szn/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/frank_szn/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/frank_szn/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/frank_szn/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/frank_szn/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/frank_szn/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to 45.55.20.113:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64@openssh.com none
debug1: kex: client->server aes128-ctr umac-64@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:xiB0VWociJ19y8/fqsxGcn0OJJeMe8J5TUhii5y05Ms
debug1: Host '45.55.20.113' is known and matches the RSA host key.
debug1: Found key in /Users/frank_szn/.ssh/known_hosts:3
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/frank_szn/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /Users/frank_szn/.ssh/id_dsa
debug1: Trying private key: /Users/frank_szn/.ssh/id_ecdsa
debug1: Trying private key: /Users/frank_szn/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
edited by MattIPv4
1 comment
  • It’s unclear what you’re trying to do, as you haven’t asked a question. What have you set up, and what are you trying to accomplish. If we know more about what you’re working on, and what you’ve created, we can help you further. Thanks!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
17 answers

You may try edit in /etc/ssh/sshd_config
PasswordAuthentication yes

service sshd restart

I found in messages log information about bad ownership of authorized_keys. So I changed permissions for my /home/USERNAME/.ssh/authorized_keys to 0600 and everything works.

I was trying to do this on aws.
Following is the procedure which worked.

  1. clean up the .ssh directory on both master and slave.
  2. create same username on both master and slave with (adduser <uname> -p <passwd>)
  3. on the master login as <uname> and go home by typing cd (/home/user)
  4. ssh-keygen (this will create private and public keys for user)
  5. copy the contents of idrsa.pub from master to /home/user/.ssh/authorizedkeys) on slave
  6. change permissions of the file authorizedkeys to 600 ( chmod 600 authorizedkeys) on slave
  7. say cd.. and check permissions of the directory .ssh on slave. it should be again 600.
  8. Now on master login as the <user> and at command prompt say
  9. ssh <slave ip address> (or ssh user@slaveIDAddress) 11 login should be successful.
  10. In case you are using jenkins in Jenkins credentials copy the id_rsa (private key) for the <user>. it will connect to slave.
  11. Hope I am clear.
  • Hello Sir,

    I have tried all above steps. Still I am getting below error -

    [ec2-user@ip-xxx-xx-x-x .ssh]$ sudo ssh-copy-id -i/home/ec2-user/.ssh/id_rsa ec2-user@xxx-xx-x-xxx

    /bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/home/ec2-user/.ssh/id_rsa.pub”
    /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys

    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

    Please let me know if I have to follow any additional steps.

    Thanks,
    Vaishali

Hi @ryanpq @nikfarid , I’m having the same issue.

I checked in Digital Ocean Console .ssh/authorized_keys and I have my key there. I did password authentication to Yes, even tried with no. (as someone suggested).

But still no luck, getting the same “Permission Denied (public Key)” issue.

Can you please help me on this.

Thanks,
Dilip Gupta

Hi,
I am trying get SSH access from my Ubuntu 14.04 to Cent OS 7 droplet at digitalocean. But it’s throwing error, “Permission denied (publickey,gssapi-keyex,gssapi-with-mic).”

Again, I am trying to access form filezila SFTP and it’s throwing error:
“Disconnected: No supported authentication methods available (server sent: publickey,gssapi-keyex,gssapi-with-mic)”

I have generated SSH key form my Ubuntu Terminal by command: “ssh-keygen -t rsa” and uploaded / past the public key “id_rsa.pub” to my digitalocean droplet SSH key option.

While I first tried to access SHH connection it asked,
“The authenticity of host ‘1XXXXXXXX’ can’t be established.
ECDSA key fingerprint is XXXXXXXXXXXXXXXXXXXXXXXX.
Are you sure you want to continue connecting (yes/no)?

After I type Yes,
it’s through the error, “Permission denied (publickey,gssapi-keyex,gssapi-with-mic)” .

Please advise how to fix it.

@Dilip7597 I have the same issue
I get Permission denied (publickey,gssapi-keyex,gssapi-with-mic). when trying to ssh through Terminal app.

I just got back from an extended winter holiday, but before the holiday (4-5 weeks ago) I used to ssh connect to my droplet without a problem. I have not changed the ssh keys since then, so it can’t be a problem with that.

facing the same issue.
Using bash ubuntu for windows and I cannot login to the server.
If i use putty, I get right in

Follow these steps:

  1. Just check whether your username for the host is correct
  2. set 400 permission to your key file

Without further information it is difficult to help you troubleshoot this. According to these logs, the keys on your local computer did not match the public keys on your droplet.

Have you been able to connect to this droplet via ssh before?

Have you used this key on your account with another droplet?

If you continue to have trouble and have not set up a password for your root user you can open a ticket with our support team who can assist you in setting a password to allow you to access the droplet from the console in the control panel in order to investigate or assist you in rebooting your droplet to a recovery environment where you can check that your public key was properly added to your /root/.ssh/authorized_keys file.

Be sure that the public key on /pathToUser/.ssh/idrsa.pub in the droplet is the same file than /pathToUser/.ssh/idrsa.pub in your local machine.

I have tried ALL of the above to zero avail

I had luck with the changing the above mentioned permissions on /home/USERNAME/.ssh/authorized_keys in conjunction with changing the permission on the parent ssh folder chmod 700 /home/USERNAME/.ssh

The step
try edit in /etc/ssh/sshd_config
PasswordAuthentication yes

is required on both master and slave

Just adding my two cents. I was trying to ssh by using my ppk and pem file format keys. I was able to login by using my key in the original format id_rsa

ssh -i id_rsa ec2-user@192.168.0.2

I had a similar problem
Resolved with setting the selinux policy

setenforce 0

[root@master11 ~]# getenforce
Disabled
[root@master11 ~]# 

[root@master11 ~]# cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Allow Root User Login in /etc/ssh/sshd_config

# PermitRootLogin no
PermitRootLogin yes

had similar problem,
but already setup ssh keys against root when was creating the droplet.

So steps taken:

  1. created .ssh directory under new user mkdir /home/<newly added user>/.ssh
  2. copied the authorized keys from root cp /root/.ssh/authorized_keys /home/<newly added user>/.ssh
Submit an Answer