SSH Permission Denied (Publickey) DigitalOcean Permission denied (publickey)

Trying to access your DigitalOcean droplet and can't get beyond Permission denied (publickey) ?

This could be due to multiple reasons, having the wrong public_key entry in your droplet's authorized_keys, or creating a new public key on your system which the droplet doesn't recognize yet.

After trying the usual things, this is what works:

1. If you have created a new SSH public key, run: cat ~/.ssh/id_rsa.pub on your local system, and copy the complete key it displays. [Skip to point 2] In case it doesn't display anything, you probably don't have a public SSH key or you could have one under a different name. Go to cd .ssh and see if you have any of the *.pub files there, if you want to use any of those, just run cat filename.pub and copy the key. If you don't have any existing public SSH keys, you can generate one using: ssh-keygen -o, then follow the instructions as shown.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
d0:82:24:8e:d7:f1:bb:9b:33:53:96:93:49:da:9b:e3 user@mylaptop.local

Once the public key is generated, view it using cat ~/.ssh/id_rsa.pub or replace id_rsa.pub with whatever name you gave the file. Now copy that key.

1. Now head to your digitalocean web console. Go to Settings > Security > SSH Keys > Add SSH Key. Add the SSH key you copied and give it any name.
   Note that if the key already exists, it won't be copied, so you can skip this step.
   Now try connecting via SSH, if it works, you lucky (de)bugger you. If it doesn't work, that's what you're here for.

2. Head over to your droplet's dashboard and from the left-side options, select Access > Console Access > Launch Console.
   Enter your username and password for the droplet, and it'll connect you to the droplet via SSH (using a web browser).

3. You'll need to enable password login to your droplet. To do so, sudo nano /etc/ssh/sshd_config, scroll down and set these to yes
   

PermitRootLogin yes 
PasswordAuthentication yes

​Save the file and run service sshd restart to restart the sshd service and apply the changes.

1. Now some articles might suggest heading over to the ~/.ssh/authorized_keys on the droplet from the browser SSH console, but it has a bug which only copies the SSH key upto a certain characters, and because of that, it won't work. Therefore, we'll not do this step right now.

2. As you've enabled password authentication to the server, try SSH to it from the terminal, it'll prompt for the password, after which you should be able to connect. Well, problem solved, or at least most of it.

3. Now we're going to edit the nano ~/.ssh/authorized_keys file on the server, paste your SSH key here in a newline(which you had generated in Step 1). You can now restart the ssh service again using service sshd restart.

4. Try SSH using your terminal and you should be able to connect without entering the password. As it's a good security practice to disable Password based login, head over to sudo nano /etc/ssh/sshd_config again on your server, and set
   

PasswordAuthentication no

Save the file and restart sshd using service sshd restart.

That's it, you should now be able to login to the server without any issues.

Comments

[André Pena]

This article was very useful, but to help people coming from Google, this error (Permission denied (publickey)) also happens if your identity is not set correctly.

When you do ssh_keygen it will generate a new SSH key, which the default name is id_rsa. If your computer happens to have another key already, with another name, your identity might be set to that key.

You should edit ~/.ssh/config, and make sure IdentityFile is set to the correct private key

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa

[Lauriano Elmiro Duarte]

I lost my access to DigitalOcean,
this tip of yours was my salvation, change the file name to id_rsa

Thanks

[Angelo Moroni]

I solved using this solutions

[Tyler Butler]

Thanks for the quick solution! If your on a mac you wanna make this edit here /private/etc/ssh/ssh_config

[Jason Fukura]

i literally created an account just to say thank you.

[Kevin Yancy]

Like other commenters, I also created an account just to say Thanks. Somehow I lost the ability to remote ssh into my droplet and your post gave me the fix I desperately needed in a clear and concise manner. Thank you again!

[shin]

Thanks for sharing this.
I usually change this:

PermitRootLogin no

I needed one more step.
Once you ssh to your server as a root, I need to copy my root ssh to /home/your-username/.ssh:
Run the following:

rsync --archive --chown=your-username:your-username ~/.ssh /home/your-username

Now you can ssh using your name.

[Sharadhi N]

amazing! after sifting through 100s of pages talking about either solutions I already know or irrelevant ones, THIS IS THE ONLY THING THAT WORKED FOR ME.
DigitalOcean should include this in their docs. Thanks mate!

[Ali Akman]

Recovering SSH Access on DigitalOcean (Clean Method)

I solved this using a cleaner method.

First, save the SSH key(s) you want to add into a file named ssh.txt. Upload this file to a location you can access publicly (for example: https://abc.com/ssh.txt).

Then go to DigitalOcean → Recovery.

Select Power > Turn Off, then click Boot from Recovery ISO.

After that, turn the server back on with Power > Power On and open the Recovery Console.

Steps

1. From the options 1 to 7, press 1 and make sure the disk name /dev/vda1 is highlighted in green.
2. Press 5 for “Attempt to chroot”.
3. In the command line, run:

cd ~/.ssh

1. Back up the existing file:

cp authorized_keys authorized_keys.backup

1. Download your SSH key file:

wget -O ssh.txt https://abc.com/ssh.txt

1. Append the SSH keys to authorized_keys:

cat ssh.txt >> authorized_keys

1. Edit the SSH configuration:

nano /etc/ssh/sshd_config

Update the settings as follows:

PasswordAuthentication no     # Disable password authentication (temporarily)
PubkeyAuthentication yes     # Enable SSH key authentication
PermitRootLogin yes          # Enable root login

1. Restart the SSH service:
   systemctl restart sshd

2. Verify the service status:
   service ssh status

Close the console window.

Then select Power > Turn Off, switch to Boot from Hard Drive, and click Power > Power On.

Local SSH Configuration

On your local machine, make sure the key defined in ~/.ssh/config under IdentityFile matches the same SSH key:

Host tomserver
    Hostname 198.*.*.*
    User     tom
    Port     22777
    IdentityFile ~/.ssh/tom

Test Connection

To test the connection, open your local terminal and run:

ssh tomserver

That’s all.
Good luck!

[WatcherMagic]

Had an issue with this at step 4, where the console still asked my user account for a password (not the root.) This means when I switched password authentication back to "no" I got the publickey error and was back to step 1. Solved it by:

1. ssh into root (or use the digitalocean console)
2. switch user: su - user
3. sudo mkdir ~/.ssh
4. sudo touch ~/.ssh/authorized_keys
5. sudo vim ~/.ssh/authorized_keys then paste in the public key, save, exit
6. confirm you can ssh without being prompted for a password
7. sudo nano /etc/ssh/sshd_config --->...etc.

P.S If you're using a remote machine to access the droplet, make sure to GENERATE THE SSH KEY ON THE REMOTE MACHINE.

[Kolawole O. Gabriel]

Nice, breakdown. Helped 👍

[Denis Shtabnoy]

Thank you Sailesh. This instructions helped me to solve the issue!

[Rafael Vogel de Oliveira]

Hey Sailesh, I've also just created an account to say thanks!!! You rock!

[Ralph Capper]

Thank you so much for this, helped me out.