DEV Community

Cover image for DigitalOcean Permission denied (publickey)
Sailesh Choyal
Sailesh Choyal

Posted on • Edited on

SSH Permission Denied (Publickey) DigitalOcean Permission denied (publickey)

Trying to access your DigitalOcean droplet and can't get beyond Permission denied (publickey) ?

This could be due to multiple reasons, having the wrong public_key entry in your droplet's authorized_keys, or creating a new public key on your system which the droplet doesn't recognize yet.

After trying the usual things, this is what works:

  1. If you have created a new SSH public key, run: cat ~/.ssh/id_rsa.pub on your local system, and copy the complete key it displays. [Skip to point 2] In case it doesn't display anything, you probably don't have a public SSH key or you could have one under a different name. Go to cd .ssh and see if you have any of the *.pub files there, if you want to use any of those, just run cat filename.pub and copy the key. If you don't have any existing public SSH keys, you can generate one using: ssh-keygen -o, then follow the instructions as shown.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
d0:82:24:8e:d7:f1:bb:9b:33:53:96:93:49:da:9b:e3 user@mylaptop.local
Enter fullscreen mode Exit fullscreen mode

Once the public key is generated, view it using cat ~/.ssh/id_rsa.pub or replace id_rsa.pub with whatever name you gave the file. Now copy that key.

  1. Now head to your digitalocean web console. Go to Settings > Security > SSH Keys > Add SSH Key. Add the SSH key you copied and give it any name.
    Note that if the key already exists, it won't be copied, so you can skip this step.
    Now try connecting via SSH, if it works, you lucky (de)bugger you. If it doesn't work, that's what you're here for.

  2. Head over to your droplet's dashboard and from the left-side options, select Access > Console Access > Launch Console.
    Enter your username and password for the droplet, and it'll connect you to the droplet via SSH (using a web browser).

  3. You'll need to enable password login to your droplet. To do so, sudo nano /etc/ssh/sshd_config, scroll down and set these to yes

PermitRootLogin yes 
PasswordAuthentication yes
Enter fullscreen mode Exit fullscreen mode

​Save the file and run service sshd restart to restart the sshd service and apply the changes.

  1. Now some articles might suggest heading over to the ~/.ssh/authorized_keys on the droplet from the browser SSH console, but it has a bug which only copies the SSH key upto a certain characters, and because of that, it won't work. Therefore, we'll not do this step right now.

  2. As you've enabled password authentication to the server, try SSH to it from the terminal, it'll prompt for the password, after which you should be able to connect. Well, problem solved, or at least most of it.

  3. Now we're going to edit the nano ~/.ssh/authorized_keys file on the server, paste your SSH key here in a newline(which you had generated in Step 1). You can now restart the ssh service again using service sshd restart.

  4. Try SSH using your terminal and you should be able to connect without entering the password. As it's a good security practice to disable Password based login, head over to sudo nano /etc/ssh/sshd_config again on your server, and set

PasswordAuthentication no
Enter fullscreen mode Exit fullscreen mode

Save the file and restart sshd using service sshd restart.

That's it, you should now be able to login to the server without any issues.

Top comments (16)

Collapse
 
andrerpena profile image
André Pena

This article was very useful, but to help people coming from Google, this error (Permission denied (publickey)) also happens if your identity is not set correctly.

When you do ssh_keygen it will generate a new SSH key, which the default name is id_rsa. If your computer happens to have another key already, with another name, your identity might be set to that key.

You should edit ~/.ssh/config, and make sure IdentityFile is set to the correct private key

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa
Enter fullscreen mode Exit fullscreen mode
Collapse
 
laurianoelmiroduarte profile image
Lauriano Elmiro Duarte • Edited

I lost my access to DigitalOcean,
this tip of yours was my salvation, change the file name to id_rsa

Thanks

Collapse
 
hooloovoochimico profile image
Angelo Moroni

I solved using this solutions

Collapse
 
tcbutler320 profile image
Tyler Butler • Edited

Thanks for the quick solution! If your on a mac you wanna make this edit here /private/etc/ssh/ssh_config

Collapse
 
jfukura profile image
Jason Fukura

i literally created an account just to say thank you.

Collapse
 
3wcircus profile image
Kevin Yancy

Like other commenters, I also created an account just to say Thanks. Somehow I lost the ability to remote ssh into my droplet and your post gave me the fix I desperately needed in a clear and concise manner. Thank you again!

Collapse
 
shinokada profile image
shin • Edited

Thanks for sharing this.
I usually change this:

PermitRootLogin no
Enter fullscreen mode Exit fullscreen mode

I needed one more step.
Once you ssh to your server as a root, I need to copy my root ssh to /home/your-username/.ssh:
Run the following:

rsync --archive --chown=your-username:your-username ~/.ssh /home/your-username
Enter fullscreen mode Exit fullscreen mode

Now you can ssh using your name.

Collapse
 
n_sharadhi profile image
Sharadhi N

amazing! after sifting through 100s of pages talking about either solutions I already know or irrelevant ones, THIS IS THE ONLY THING THAT WORKED FOR ME.
DigitalOcean should include this in their docs. Thanks mate!

Collapse
 
segaz2002 profile image
Kolawole O. Gabriel

Nice, breakdown. Helped 👍

Collapse
 
watchermagic profile image
WatcherMagic

Had an issue with this at step 4, where the console still asked my user account for a password (not the root.) This means when I switched password authentication back to "no" I got the publickey error and was back to step 1. Solved it by:

  1. ssh into root (or use the digitalocean console)
  2. switch user: su - user
  3. sudo mkdir ~/.ssh
  4. sudo touch ~/.ssh/authorized_keys
  5. sudo vim ~/.ssh/authorized_keys then paste in the public key, save, exit
  6. confirm you can ssh without being prompted for a password
  7. sudo nano /etc/ssh/sshd_config --->...etc.

P.S If you're using a remote machine to access the droplet, make sure to GENERATE THE SSH KEY ON THE REMOTE MACHINE.

Collapse
 
ralpharama profile image
Ralph Capper

Thank you so much for this, helped me out.

Collapse
 
rvogel profile image
Rafael Vogel de Oliveira

Hey Sailesh, I've also just created an account to say thanks!!! You rock!

Collapse
 
shtabnoy profile image
Denis Shtabnoy

Thank you Sailesh. This instructions helped me to solve the issue!

Collapse
 
cazwazacz profile image
Allan Wazacz

Like a lot of people I created an account just to thank you! THANK YOU!