Show Buttons
Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkdin
Share On Reddit
Share On Stumbleupon
Contact us
Hide Buttons

Resolving ssh permission denied issue on digitalocean

I recently rebuilt my droplet on digital ocean using a new kernel (after taking a backup, of course), and I wasn’t able to login from my local machine using ssh. Since it was a whole new OS, what else could I expect.

But, it seemed like I wasn’t even able to copy my newly generated ssh-id to the remote machine. I kept getting a permission denied error on executing the ssh-copy-id command as seen below.

ssh-copy-id [email protected]_ip_address
The authenticity of host 'droplet_ip_address (droplet_ip_address)' can't be established.
ECDSA key fingerprint is SHA256:/K+ZNPJXjcuGPd70X2siC27XSRAZUU8.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]_ip_address: Permission denied (publickey).

After few hours of a struggle, since I am not much of a bash or linux person, I finally got it to work by doing the following

Step 1: On your remote machine/digital ocean

In this step, we setup our remote server to allow clients to login via a password prompt.
You’d be running these from the web console of your digitalocean droplet.

vi /etc/ssh/sshd_config

Find the following line. It might be currently commented out with a hash

# PasswordAuthentication no

Replace it with the following line.

PasswordAuthentication yes

Now restart your ssh.

To restart ssh on an ubuntu droplet

sudo /etc/init.d/ssh restart

Step 2: On your local machine

Run these commands on your local development machine, usually your mac or ubuntu

# Generate your ssh keys
ssh-keygen -t rsa

# If you want to generate an ssh key using a different email
# ssh-keygen -t rsa -C "[email protected]"

# If you used a custom filename as the output of the ssh key generation step
# you will have to add it to ssh so it can use it for authentication
ssh-add /Users/ryan/.ssh/custom_id_rsa
    Check if your local machine was already connected to a previous version of the droplet. This is likely if you are reusing an old droplet.
cat ~/.ssh/known_hosts | grep droplet_ip_address

If you find an entry, use your favorite text editor like vi or nano to either delete that entry or comment it out by prefixing it with a hash

Then restart your local ssh as follows

# If your local machine is a mac
sudo launchctl stop com.openssh.sshd

# If your local machine is Ubnuntu
sudo /etc/init.d/ssh restart

Now you should be able to run the following command to copy the ssh key to your remote machine.

ssh-copy-id [email protected]_ip_address

# OR, if you used a custom rsa file name during generation, like I did
# ssh-copy-id -i /Users/ryan/.ssh/digital_ocean_rsa [email protected]_ip_address

NOTE: The username can be root, but ideally you should create a new user with root level privileges on your remote machine as a security precaution and use that for such tasks.

You will be prompted to enter your password to connect to the remote machine(because in step 1 we configured the remote machine to allow password based login)

Once the above command runs successfully, you can then directly ssh into your remote machine using

ssh [email protected]_ip_address

Step 3: On your remote machine

Now that we are able to safely ssh, we can disable password authentication that we enabled in Step 1. So, basically, just go ahead and undo the changes we did in Step 1.

vi /etc/ssh/sshd_config

# Replace 
PasswordAuthentication yes
# with
# PasswordAuthentication no

Now restart ssh on your remote machine

sudo /etc/init.d/ssh restart

Thats it. Hopefully this will work for you as it did for me. If it does’nt, let me know what did work for you.



Ryan Sukale

Ryan is just a regular guy next door trying to manage his life and finances.