How to Fix the SSH Permission Denied (publickey) Error

ssh image
ssh image

Introduction

SSH, or Secure Shell, is an essential protocol that is widely-used in the scripting world.  As a developer I often use it for securely accessing remote systems over unsecured networks. This allows users to authenticate and establish encrypted connections, allowing me to safely run commands, transfer data, and control distant servers. However, it is possible to encounter issues with SSH connections occasionally. One commonly experienced issue is the “permission denied (publickey)” error.

This issue often occurs when the server fails to authenticate the client’s public key, interrupting the SSH connection. Resolving this issue is critical not just for me, but also for other system administrators. Additionally, this is important for developers, and users that utilize SSH for remote access and secure file transfers.

What is the “Permission denied (publickey)” Error?

The “Permission denied (publickey)” error is an authentication failure that occurs when the SSH server rejects the client’s provided public key during the key-based authentication process. In my example, when I try to connect to a server using SSH, and the server rejects my public key for authentication. Basically this is an indication that the server has failed to recognize or can’t verify my key, so it denies me access. This error can appear in various ways depending on the circumstances.

This includes:

Permission denied (publickey).

or

Permission denied (publickey)" Error

What Causes of the “Permission denied (publickey)” Error

There are several potential causes that can lead to the “Permission denied (publickey)” error, including:

  1. Public Key Authentication Issues: The SSH connection might be rejected if public key authentication is not configured on the server, or if there are configuration errors within the
    authorized_keys
    file. This could result in the client’s public key being denied.
  2. Public Key Location Mismatch: The server may deny access if the client’s public key is not found within the
    authorized_keys
    file, or if the file path itself is misconfigured.
  3. Incorrect Key Permissions: The SSH server may reject the public key if it has overly permissive or restrictive permissions, which could be a potential security risk.
  4. Outdated or Incorrect SSH Keys: The authentication will fail if the client’s public key has been altered. Moreover, this happens if the key is revoked or is unrecognized by the server.
  5. Host Key Mismatch: When the server’s host key has changed or is not trusted by the client, the SSH connection will be rejected to limit vulnerabilities. This is to prevent potential man-in-the-middle attacks or DNS spoofing attempts.

Troubleshooting Steps

This is how I fixed the “Permission denied (publickey)” error by following these troubleshooting steps:

Step 1: Check SSH Server Configuration

Encountering a “Permission denied (publickey)” error due to a host key mismatch? You can temporarily bypass strict host key checking as a workaround, but remember this is only a temporary solution. Address the underlying issue to ensure continued security.

PubkeyAuthentication yes

After making any changes to the configuration file, restart the SSH service for the changes to take effect.

Step 2: Verify Public Key Location

Check if the client’s public key is present in the correct location on the server. The default location for authorized keys is ~/.ssh/authorized_keys (for user accounts) or /etc/ssh/authorized_keys (for the root account).

If the public key is not present in the authorized_keys file, append it to the file using the following command:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Ensure that the public key file (id_rsa.pub or id_ecdsa.pub) corresponds to the private key you are using for authentication.

Step 3: Check Key Permissions

Verify that the permissions on the authorized_keys file and the .ssh directory are set correctly. The recommended permissions are:

  • ~/.ssh directory: 700 (drwx------)
  • ~/.ssh/authorized_keys file: 600 (-rw-------)

You can set the correct permissions using the following commands:

chmod 700 ~/.ssh

chmod 600 ~/.ssh/authorized_keys

Incorrect permissions on these files and directories can cause the SSH server to reject the public key for security reasons.

Step 4: Regenerate SSH Keys

If the previous steps do not resolve the issue, you may need to regenerate the SSH keys on the client machine. Follow these steps to generate a new key pair:

  1. Remove the existing keys: rm ~/.ssh/id_rsa* (for RSA keys) or rm ~/.ssh/id_ecdsa* (for ECDSA keys)
  2. Generate a new key pair: ssh-keygen -t rsa -b 4096 -C “your_email@example.com” (for RSA keys) or ssh-keygen -t ecdsa -b 521 -C “your_email@example.com” (for ECDSA keys)
  3. Copy the new public key to the server: ssh-copy-id user@remote_host

After generating and copying the new keys, try connecting to the server again.

Step 5: Disable Strict Host Key Checking (Temporary Solution)

If you encounter the “Permission denied (publickey)” error due to a host key mismatch, you can temporarily disable strict host key checking as a workaround. This only works as a temporary solution until you resolve the underlying issue.

To disable strict host key checking, add the following line to your SSH configuration file (~/.ssh/config or /etc/ssh/ssh_config):

StrictHostKeyChecking no

After making this change, try connecting to the server again. However it is important you are aware that by disabling the strict host key checking, you can potentially expose your server to man-in-the-middle attacks, as such this should be exercised with caution and only as a temporary measure.

Best Practices for SSH Key Management

To prevent and mitigate issues related to SSH key authentication, it is important to follow best practices for key management:

  1. Use Strong Keys: Generate SSH keys with a sufficient key length (at least 4096 bits for RSA or 521 bits for ECDSA) to ensure strong encryption and protection against brute-force attacks.
  2. Secure Key Storage: Store private SSH keys securely and never share them with untrusted parties. Consider using a hardware security key or a password manager to store and manage your keys.
  3. Rotate Keys Regularly: Regularly rotate and replace SSH keys to mitigate the risk of key compromise and maintain a high level of security.
  4. Manage Key Access: Strictly control and manage access to authorized_keys files on servers, ensuring that only authorized users and systems have their public keys listed.
  5. Monitor Key Usage: Implement monitoring and logging mechanisms to track SSH key usage, detect potential misuse, and quickly revoke compromised keys.
  6. Automate Key Management: Consider using automation tools and scripts to streamline the process of generating, distributing, and rotating SSH keys across your infrastructure.

By following the above practices, you can significantly reduce the likelihood of encountering the “Permission denied (publickey)” error and maintain a secure and efficient SSH. Once this error is fixed you can now proceed and access your remote system.

Related Articles

How to Fix SSH Failed Permission Denied (publickey,gssapi-keyex,gssapi-with-mic)

Troubleshooting SSH Permission Denied (publickey)

More Articles from Unixmen

How to prevent SSH from disconnecting sessions

Mosh vs SSH 

SSH Management Console Script

SSH to your Linux systems from Android