Resolving ssh permission denied issue on digitalocean
I recently rebuilt my droplet on digital ocean using a new kernel (after taking a backup, of course), and I wasn’t able to login from my local machine using ssh. Since it was a whole new OS, what else could I expect.
But, it seemed like I wasn’t even able to copy my newly generated ssh-id to the remote machine. I kept getting a permission denied error on executing the
ssh-copy-id command as seen below.
ssh-copy-id [email protected]_ip_address The authenticity of host 'droplet_ip_address (droplet_ip_address)' can't be established. ECDSA key fingerprint is SHA256:/K+ZNPJXjcuGPd70X2siC27XSRAZUU8. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]_ip_address: Permission denied (publickey).
After few hours of a struggle, since I am not much of a bash or linux person, I finally got it to work by doing the following
Step 1: On your remote machine/digital ocean
In this step, we setup our remote server to allow clients to login via a password prompt.
You’d be running these from the web console of your digitalocean droplet.
Find the following line. It might be currently commented out with a hash
# PasswordAuthentication no
Replace it with the following line.
Now restart your ssh.
To restart ssh on an ubuntu droplet
sudo /etc/init.d/ssh restart
Step 2: On your local machine
Run these commands on your local development machine, usually your mac or ubuntu
# Generate your ssh keys ssh-keygen -t rsa # If you want to generate an ssh key using a different email # ssh-keygen -t rsa -C "[email protected]" # If you used a custom filename as the output of the ssh key generation step # you will have to add it to ssh so it can use it for authentication ssh-add /Users/ryan/.ssh/custom_id_rsa
- OPTIONAL STEP *
Check if your local machine was already connected to a previous version of the droplet. This is likely if you are reusing an old droplet.
cat ~/.ssh/known_hosts | grep droplet_ip_address
If you find an entry, use your favorite text editor like
nano to either delete that entry or comment it out by prefixing it with a hash
Then restart your local ssh as follows
# If your local machine is a mac sudo launchctl stop com.openssh.sshd # If your local machine is Ubnuntu sudo /etc/init.d/ssh restart
Now you should be able to run the following command to copy the ssh key to your remote machine.
ssh-copy-id [email protected]_ip_address # OR, if you used a custom rsa file name during generation, like I did # ssh-copy-id -i /Users/ryan/.ssh/digital_ocean_rsa [email protected]_ip_address
root, but ideally you should create a new user with root level privileges on your remote machine as a security precaution and use that for such tasks.
You will be prompted to enter your password to connect to the remote machine(because in step 1 we configured the remote machine to allow password based login)
Once the above command runs successfully, you can then directly ssh into your remote machine using
ssh [email protected]_ip_address
Step 3: On your remote machine
Now that we are able to safely ssh, we can disable password authentication that we enabled in Step 1. So, basically, just go ahead and undo the changes we did in Step 1.
vi /etc/ssh/sshd_config # Replace PasswordAuthentication yes # with # PasswordAuthentication no
Now restart ssh on your remote machine
sudo /etc/init.d/ssh restart
Thats it. Hopefully this will work for you as it did for me. If it does’nt, let me know what did work for you.