When you encounter the “Permission denied (publickey)” error while using ssh-copy-id
, it typically means that the SSH server is unable to authenticate your public key. This issue can arise due to several reasons, such as incorrect permissions on the .ssh
directory or the authorized_keys
file, or the public key not being correctly added to the server.
Resolving this error is crucial for maintaining secure SSH connections, as it ensures that only authorized users can access the server, protecting sensitive data and preventing unauthorized access.
Here are the common causes for the “SSH copy ID permission denied (publickey)” error:
Incorrect SSH Key Permissions:
600
(readable only by the user)..ssh
directory should have permissions set to 700
(accessible only by the user).authorized_keys
file on the server should have permissions set to 600
.Missing Public Key in the authorized_keys
File:
~/.ssh/authorized_keys
file on the server.authorized_keys
file that might cause issues.SSH Configuration Errors:
sshd_config
file on the server might not be set up to allow key-based authentication. Ensure PubkeyAuthentication yes
is set.authorized_keys
file might be incorrect. Ensure AuthorizedKeysFile .ssh/authorized_keys
is correctly specified.IdentityFile
setting in the ssh_config
file.Key Mismatch:
ssh-keygen -lf /path/to/key
to verify the fingerprints.Outdated SSH Software:
Firewall or Security Software:
These steps should help you diagnose and resolve the “permission denied (publickey)” error.
Here are the steps to check and correct SSH key permissions:
Check the permissions of the .ssh
directory:
ls -ld ~/.ssh
Expected output:
drwx------ 2 user user 4096 date time .ssh
Set the correct permissions for the .ssh
directory:
chmod 700 ~/.ssh
Check the permissions of the private key file (id_rsa
):
ls -l ~/.ssh/id_rsa
Expected output:
-rw------- 1 user user 1675 date time id_rsa
Set the correct permissions for the private key file:
chmod 600 ~/.ssh/id_rsa
Check the permissions of the public key file (id_rsa.pub
):
ls -l ~/.ssh/id_rsa.pub
Expected output:
-rw-r--r-- 1 user user 400 date time id_rsa.pub
Set the correct permissions for the public key file:
chmod 644 ~/.ssh/id_rsa.pub
Check the permissions of the authorized_keys
file:
ls -l ~/.ssh/authorized_keys
Expected output:
-rw------- 1 user user 400 date time authorized_keys
Set the correct permissions for the authorized_keys
file:
chmod 600 ~/.ssh/authorized_keys
These steps should help resolve the “permission denied (publickey)” error when using ssh-copy-id
.
To verify that the public key is correctly added to the authorized_keys
file on the server, follow these steps:
.ssh
directory:cd ~/.ssh
authorized_keys
file:cat authorized_keys
If you keep getting ssh-copy-id permission denied (publickey)
errors, consider these points:
Permissions: Ensure the .ssh
directory and authorized_keys
file have the correct permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Correct User: Verify you are copying the key to the correct user and server:
ssh-copy-id user@server
SSH Configuration: Check the server’s SSH configuration (/etc/ssh/sshd_config
) to ensure PubkeyAuthentication
is enabled.
These steps should help resolve the permission denied (publickey)
issue and confirm your public key is correctly added.
Misconfigured SSH Configuration File (sshd_config
):
authorized_keys
file is incorrect.PubkeyAuthentication yes
is set and the AuthorizedKeysFile
path is correct in /etc/ssh/sshd_config
. Restart the SSH service after making changes.Incorrect Permissions on .ssh
Directory and authorized_keys
File:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Key Mismatch:
ssh-keygen -lf /path/to/key
Incorrect Username:
ssh user@hostname
Verbose Output for Debugging:
ssh -vvvv user@hostname
By checking these common issues, you can identify and fix the errors causing the “Permission denied (publickey)” message.
To debug the “permission denied (publickey)” error when using ssh-copy-id
, you can use the verbose mode with the -v
flag. This provides detailed output of the SSH connection process, helping you identify where the issue lies.
Here’s how to use it:
ssh -v [email protected]
Key Exchange:
debug1:
, debug2:
, or debug3:
. These indicate the stages of the SSH connection.debug1: SSH2_MSG_KEXINIT sent
shows the key exchange initialization.Authentication Methods:
debug1: Authentications that can continue: publickey
indicates that public key authentication is being tried.Public Key Authentication:
debug1: Offering public key: /path/to/key
.debug1: Authentications that can continue: publickey
, it means the key was not accepted.Permission Issues:
debug1: Authentication succeeded (publickey)
.Permission denied (publickey)
, it indicates a problem with the key or its permissions.By carefully reading these debug messages, you can pinpoint whether the issue is with the key itself, its permissions, or the SSH configuration.
When using ssh-copy-id
, it’s essential to understand the common issues that can cause this problem.
chmod 700 ~/.ssh
and chmod 600 ~/.ssh/authorized_keys
to set them correctly.ssh-keygen -lf /path/to/key
. If they don’t match, generate a new key pair and copy the new public key to the server.ssh user@hostname
.ssh -vvvv user@hostname
.When debugging the issue, pay attention to the output of the SSH connection. Look for lines starting with debug1:
, debug2:
, or debug3:
which indicate the stages of the SSH connection. Check for authentication methods attempted and public key authentication specifically.
If you see a message about permissions, such as ‘Permission denied (publickey)’, it indicates a problem with the key or its permissions. By carefully reading these debug messages, you can pinpoint whether the issue is with the key itself, its permissions, or the SSH configuration.
Correct SSH Key Management and Configuration are crucial to resolving this error. Ensure that your keys are properly generated, stored, and configured on both the client and server sides.