|
Be the first user to complete this post
|
Add to List |
Resolving ssh permission denied issue on digitalocean
I recently rebuilt my droplet on digital ocean using a new kernel (after taking a backup, of course), and I wasn't able to login from my local machine using ssh. Since it was a whole new OS, what else could I expect.
But, it seemed like I wasn't even able to copy my newly generated ssh-id to the remote machine. I kept getting a permission denied error on executing the ssh-copy-id command as seen below.
ssh-copy-id root@droplet_ip_address
The authenticity of host 'droplet_ip_address (droplet_ip_address)' can't be established.
ECDSA key fingerprint is SHA256:/K+ZNPJXjcuGPd70X2siC27XSRAZUU8.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@droplet_ip_address: Permission denied (publickey).
After few hours of a struggle, since I am not much of a bash or linux person, I finally got it to work by doing the following
Step 1: On your remote machine/digital ocean
In this step, we setup our remote server to allow clients to login via a password prompt. You'd be running these from the web console of your digitalocean droplet.vi /etc/ssh/sshd_config
# PasswordAuthentication no
PasswordAuthentication yes
sudo /etc/init.d/ssh restart
Step 2: On your local machine
Run these commands on your local development machine, usually your mac or ubuntu# Generate your ssh keys
ssh-keygen -t rsa
# If you want to generate an ssh key using a different email
# ssh-keygen -t rsa -C "[email protected]"
# If you used a custom filename as the output of the ssh key generation step
# you will have to add it to ssh so it can use it for authentication
ssh-add /Users/ryan/.ssh/custom_id_rsa
- OPTIONAL STEP * Check if your local machine was already connected to a previous version of the droplet. This is likely if you are reusing an old droplet.
cat ~/.ssh/known_hosts | grep droplet_ip_address
vi or nano to either delete that entry or comment it out by prefixing it with a hash
Then restart your local ssh as follows
# If your local machine is a mac
sudo launchctl stop com.openssh.sshd
# If your local machine is Ubnuntu
sudo /etc/init.d/ssh restart
ssh-copy-id root@droplet_ip_address
# OR, if you used a custom rsa file name during generation, like I did
# ssh-copy-id -i /Users/ryan/.ssh/digital_ocean_rsa username@droplet_ip_address
NOTE: TheYou will be prompted to enter your password to connect to the remote machine(because in step 1 we configured the remote machine to allow password based login) Once the above command runs successfully, you can then directly ssh into your remote machine usingusernamecan beroot, but ideally you should create a new user with root level privileges on your remote machine as a security precaution and use that for such tasks.
ssh username@droplet_ip_address
Step 3: On your remote machine
Now that we are able to safely ssh, we can disable password authentication that we enabled in Step 1. So, basically, just go ahead and undo the changes we did in Step 1.vi /etc/ssh/sshd_config
# Replace
PasswordAuthentication yes
# with
# PasswordAuthentication no
sudo /etc/init.d/ssh restart
References
- https://serverfault.com/q/684346
- https://www.digitalocean.com/community/tutorials/how-to-create-a-sudo-user-on-ubuntu-quickstart
- https://www.digitalocean.com/community/tutorials/how-to-add-and-delete-users-on-an-ubuntu-14-04-vps
- https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
Also Read: