tstein
By:
tstein

Why is my droplet still asking for a password when I have added the SSH key?

December 21, 2014 8.9k views

I added the SSH key to my computer through the DO interface on the web. When I SSH in I am still asked for a password. Why? (There is no passphrase on the SSH key.)

3 comments
  • Add your private key in ssh agent

    eval `ssh-agent -s`
    ssh-add ~/.ssh/id_rsa
    

    This will solve the issue.

  • huh? mine was working and just stopped out of the blue... and i have no idea who answered this but that is completely off. i'd give a good answer but i'm trying to figure it out myself. i guess i'll just go with passwords again.

  • I'm having the same issue... what's the deal DO?

7 Answers

Same issue here:

mathew@Mathews-MacBook-Pro:Documents -->rsync -avz provisioning/ root@xxx.xxx.xxx.xxx:/root/
building file list ... done
./
iptables.conf
iptables.sh
provision.conf
provision.nginx-gw.sh
provision.sh
provisioning/
provisioning/iptables.conf
provisioning/iptables.sh
provisioning/provision.conf
provisioning/provision.nginx-gw.sh
provisioning/provision.sh

sent 28754 bytes  received 252 bytes  19337.33 bytes/sec
total size is 58582  speedup is 2.02
mathew@Mathews-MacBook-Pro:Documents -->ssh root@xxx.xxx.xxx.xxx
root@xxx.xxx.xxx.xxx's password:

Key worked, then immediately didn't. Running ssh -vv gives no error:

mathew@Mathews-MacBook-Pro:Documents -->ssh -vvv root@xxx.xxx.xxx.xxx
OpenSSH_6.9p1, LibreSSL 2.1.7
debug1: Reading configuration data /Users/mathew/.ssh/config
debug1: /Users/mathew/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /Users/mathew/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mathew/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mathew/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mathew/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mathew/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mathew/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mathew/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mathew/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.xxx:22 as 'root'
debug3: hostkeys_foreach: reading file "/Users/mathew/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/mathew/.ssh/known_hosts:71
debug3: load_hostkeys: loaded 1 keys from xxx.xxx.xxx.xxx
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:aaku/+vSiPl9Y+qv0rUPXqZDQ5ejhAymF17BKWKobgg
debug3: hostkeys_foreach: reading file "/Users/mathew/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/mathew/.ssh/known_hosts:71
debug3: load_hostkeys: loaded 1 keys from xxx.xxx.xxx.xxx
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the ECDSA host key.
debug1: Found key in /Users/mathew/.ssh/known_hosts:71
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/mathew/.ssh/id_rsa (0x7fbe50500880),
debug2: key: /Users/mathew/.ssh/id_dsa (0x0),
debug2: key: /Users/mathew/.ssh/id_ecdsa (0x0),
debug2: key: /Users/mathew/.ssh/id_ed25519 (0x0),
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/mathew/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/mathew/.ssh/id_dsa
debug3: no such identity: /Users/mathew/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/mathew/.ssh/id_ecdsa
debug3: no such identity: /Users/mathew/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/mathew/.ssh/id_ed25519
debug3: no such identity: /Users/mathew/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@xxx.xxx.xxx.xxx's password:

In this case it definitely appears to be a bug.

Hi, Even I faced a similar issue... looks like setting your SSH keys through DigitalOcean's Web console is not working.
Following steps resolved the problem for me.

  1. Click on Reset Root Password by going to Droplets > Access
  2. Then DigitalOcean will mail you a root password
  3. Open Terminal and ssh your server by using command ssh@yourserverip_address
  4. When prompted for root password, use the one you received through email
  5. Then, generate SSH keys on your local computer and copy those keys to DigitalOcean's Web Console by going to Settings > Security > Add SSH Keys. Refer How To Create SSH Keys section from this tutorial
  6. Then also copy the SSH to your sever from terminal by using this command cat ~/.ssh/idrsa.pub | ssh root@yourserveripaddress "cat >> ~/.ssh/authorized_keys"
    1. Now try to ssh your server again.

Thats it!

SSH, or secure shell, is the most common way of administering remote Linux servers. Although the daemon allows password-based authentication, exposing a password-protected account to the network can open up your server to brute-force attacks. In this guide, we demonstrate how to configure your server with SSH keys, which is the recommended authentication method. These are much more difficult for attackers to work around, giving you a more secure login mechanism.
  • Why is the web console not working for adding SSH keys? Any word on whether or not DO is working to fix this?

did you restart ssh on your server?

There are a few reasons why sshd would reject your key. Check your auth log (grep sshd in /var/log to find the file, it might be called secure, auth or it might be in syslog/messages (depends on your distro)).

One reason for example might be that your reverse dns doesn't point to the IP you're connecting from. You might have the wrong permissions on the authorized_keys file (should be 600) or .ssh directory (should be 700).

Also check you've got your key loaded on the client (ssh-add -l to list keys and ssh-add <file> to add a key

Finally, try connecting with ssh -vvv (assuming you're connecting from Linux/Unix/Mac). It'll be very verbose about what it's trying to do.

I rushed through the setup and created a droplet before (successfully) adding keys through the "Create Droplet" dialog.

If you've followed this instruction: https://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-digitalocean-droplets, then it will work fine but with one important detail not to miss. Create your ssh keys on your local computer and then add them to your Digital Ocean profile BEFORE you create the droplet. When you successfully added the keys, the droplet dialog will say something like, "No root password will be emailed to you because you have selected 3 SSH Keys for access."

by Etel Sverdlov
This guide is for Mac OS X and Linux users. Learn how to use SSH Keys with DigitalOcean Droplets.

Anyone here using DSA keys and a Ubuntu 16.04 droplet (with OpenSSH 7.x by default) should note that DSA keys (pubkey starting with "ssh-dss") are not accepted by default anymore. This issue caused problems very similar to ones described in the original question. This is understandable because if the keys are not accepted, the ssh reverts back to asking the password.

See:

What worked for me:

ssh root@<ip>

Because I'm logged in on my local machine as user 'tjen', and ssh <ip> then it asks for:
tjen@gtd's password:, (which does not exist)

Have another answer? Share your knowledge.