Be the first user to complete this post

  • 0
Add to List

Resolving ssh permission denied issue on digitalocean

I recently rebuilt my droplet on digital ocean using a new kernel (after taking a backup, of course), and I wasn't able to login from my local machine using ssh. Since it was a whole new OS, what else could I expect. But, it seemed like I wasn't even able to copy my newly generated ssh-id to the remote machine. I kept getting a permission denied error on executing the ssh-copy-id command as seen below.

ssh-copy-id root@droplet_ip_address
The authenticity of host 'droplet_ip_address (droplet_ip_address)' can't be established.
ECDSA key fingerprint is SHA256:/K+ZNPJXjcuGPd70X2siC27XSRAZUU8.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@droplet_ip_address: Permission denied (publickey).

After few hours of a struggle, since I am not much of a bash or linux person, I finally got it to work by doing the following

Step 1: On your remote machine/digital ocean

In this step, we setup our remote server to allow clients to login via a password prompt. You'd be running these from the web console of your digitalocean droplet.
vi /etc/ssh/sshd_config
Find the following line. It might be currently commented out with a hash
# PasswordAuthentication no
Replace it with the following line.
PasswordAuthentication yes
Now restart your ssh. To restart ssh on an ubuntu droplet
sudo /etc/init.d/ssh restart

Step 2: On your local machine

Run these commands on your local development machine, usually your mac or ubuntu
# Generate your ssh keys
ssh-keygen -t rsa

# If you want to generate an ssh key using a different email
# ssh-keygen -t rsa -C "[email protected]"

# If you used a custom filename as the output of the ssh key generation step
# you will have to add it to ssh so it can use it for authentication
ssh-add /Users/ryan/.ssh/custom_id_rsa
  • OPTIONAL STEP * Check if your local machine was already connected to a previous version of the droplet. This is likely if you are reusing an old droplet.
cat ~/.ssh/known_hosts | grep droplet_ip_address
If you find an entry, use your favorite text editor like vi or nano to either delete that entry or comment it out by prefixing it with a hash Then restart your local ssh as follows
# If your local machine is a mac
sudo launchctl stop com.openssh.sshd

# If your local machine is Ubnuntu
sudo /etc/init.d/ssh restart
Now you should be able to run the following command to copy the ssh key to your remote machine.
ssh-copy-id root@droplet_ip_address

# OR, if you used a custom rsa file name during generation, like I did
# ssh-copy-id -i /Users/ryan/.ssh/digital_ocean_rsa username@droplet_ip_address
NOTE: The username can be root, but ideally you should create a new user with root level privileges on your remote machine as a security precaution and use that for such tasks.
You will be prompted to enter your password to connect to the remote machine(because in step 1 we configured the remote machine to allow password based login) Once the above command runs successfully, you can then directly ssh into your remote machine using
ssh username@droplet_ip_address

Step 3: On your remote machine

Now that we are able to safely ssh, we can disable password authentication that we enabled in Step 1. So, basically, just go ahead and undo the changes we did in Step 1.
vi /etc/ssh/sshd_config

# Replace
PasswordAuthentication yes
# with
# PasswordAuthentication no
Now restart ssh on your remote machine
sudo /etc/init.d/ssh restart
Thats it. Hopefully this will work for you as it did for me. If it does'nt, let me know what did work for you.



Also Read:

  1. How to publish a package on npm