logging into user on server: permission denied (publickey)

2019-11-14

 | 

~4 min read

 | 

621 words

I recently spun up a Digital Ocean droplet and almost immediately ran into problems logging into it.

For context - the steps I took were:

  1. Log in as root:1
$ ssh -i ~/.ssh/mykey root@host
  1. Create a new user2
$ adduser $USERNAME
  1. Add that user to the super user group
$ usermod -aG sudo $USERNAME
  1. I switched to the user to confirm that the user was created properly
$ su $USERNAME
  1. Exit to get back to my local computer
$ exit
$ exit

Needed to exit twice because the first one exited the user to return to root, the second exit is from root.

  1. Now, I tried to log into my user directly
$ ssh $USERNAME@host

This was when things started not working correctly.

$ ssh $USERNAME@host
$USERNAME@host: Permission denied (publickey).

I was expecting that I should be able to type in my password, my server seemed to be configured to only accept login via a public/private key exchange.

Allowing Direct Login Via SSH

To enable logging into my server directly as a user (rather than root - since my goal is to disable root eventually), I needed to be able to configure the user’s SSH key.

To do that I followed the following steps:

  1. Log into the server as root
  2. Modify (temporarily) the sshd_config for the server:

    • vim /etc/ssh/sshd_config
    • Find the PasswordAuthentication section and set it to yes
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
  1. Reload the sshd
$ service sshd reload
  1. Exit the server and return to your local machine.
  2. Use ssh-copy-id, a tool from OpenSSH, to copy your public key to the server for the user.3
$ ssh-copy-id -i ~/.ssh/mykey $USERNAME@host

If successful, you should see a printout that ends like:

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh ‘$USERNAME@host’”
and check to make sure that only the key(s) you wanted were added.
  1. Give it a go - you should see something like:
ssh -i ~/.ssh/mykey $USERNAME@host
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-166-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

New release '18.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: Sun Nov  3 15:55:34 2019 from xxx.xxx.xxx.xxx

Quick Summary

The reason we couldn’t log into our user via ssh was because we:

  1. Hadn’t configured the ssh public key for the user yet
  2. The server did not allow password authentication for logging in.

The solution was:

  1. Allow password authentication (temporarily) (in sshd_config)
  2. Copy the public key to the server with ssh-copy-id

As a final step, I logged back into root for a moment to modify sshd_config to once again not accept password authentication, but that’s a user preference decision.

Footnotes

Resources


Hi there and thanks for reading! My name's Stephen. I live in Chicago with my wife, Kate, and dog, Finn. Want more? See about and get in touch!