Be the first user to complete this post
|Add to List|
Resolving ssh permission denied issue on digitalocean
I recently rebuilt my droplet on digital ocean using a new kernel (after taking a backup, of course), and I wasn't able to login from my local machine using ssh. Since it was a whole new OS, what else could I expect.
But, it seemed like I wasn't even able to copy my newly generated ssh-id to the remote machine. I kept getting a permission denied error on executing the
ssh-copy-id command as seen below.
ssh-copy-id root@droplet_ip_address The authenticity of host 'droplet_ip_address (droplet_ip_address)' can't be established. ECDSA key fingerprint is SHA256:/K+ZNPJXjcuGPd70X2siC27XSRAZUU8. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@droplet_ip_address: Permission denied (publickey).
After few hours of a struggle, since I am not much of a bash or linux person, I finally got it to work by doing the following
Step 1: On your remote machine/digital oceanIn this step, we setup our remote server to allow clients to login via a password prompt. You'd be running these from the web console of your digitalocean droplet.
Find the following line. It might be currently commented out with a hash
Replace it with the following line.
# PasswordAuthentication no
Now restart your ssh. To restart ssh on an ubuntu droplet
sudo /etc/init.d/ssh restart
Step 2: On your local machineRun these commands on your local development machine, usually your mac or ubuntu
# Generate your ssh keys ssh-keygen -t rsa # If you want to generate an ssh key using a different email # ssh-keygen -t rsa -C "[email protected]" # If you used a custom filename as the output of the ssh key generation step # you will have to add it to ssh so it can use it for authentication ssh-add /Users/ryan/.ssh/custom_id_rsa
- OPTIONAL STEP * Check if your local machine was already connected to a previous version of the droplet. This is likely if you are reusing an old droplet.
If you find an entry, use your favorite text editor like
cat ~/.ssh/known_hosts | grep droplet_ip_address
nanoto either delete that entry or comment it out by prefixing it with a hash Then restart your local ssh as follows
Now you should be able to run the following command to copy the ssh key to your remote machine.
# If your local machine is a mac sudo launchctl stop com.openssh.sshd # If your local machine is Ubnuntu sudo /etc/init.d/ssh restart
ssh-copy-id root@droplet_ip_address # OR, if you used a custom rsa file name during generation, like I did # ssh-copy-id -i /Users/ryan/.ssh/digital_ocean_rsa username@droplet_ip_address
NOTE: TheYou will be prompted to enter your password to connect to the remote machine(because in step 1 we configured the remote machine to allow password based login) Once the above command runs successfully, you can then directly ssh into your remote machine using
root, but ideally you should create a new user with root level privileges on your remote machine as a security precaution and use that for such tasks.
Step 3: On your remote machineNow that we are able to safely ssh, we can disable password authentication that we enabled in Step 1. So, basically, just go ahead and undo the changes we did in Step 1.
Now restart ssh on your remote machine
vi /etc/ssh/sshd_config # Replace PasswordAuthentication yes # with # PasswordAuthentication no
Thats it. Hopefully this will work for you as it did for me. If it does'nt, let me know what did work for you.
sudo /etc/init.d/ssh restart