I have a Digital Ocean droplet I'm trying to give myself ssh access to. I'm not sure what was done to it previously. I've tried added my public key through the Digital Ocean UI. That didn't work, I kept getting permission denied (publickey)
.
I accessed the server through the Digital ocean console and manually added my public key to /root/.ssh/authorized_keys
. I then tried to ssh using ssh root@x.x.x.x
. That didn't work (permission denied).
So I tried adding a new user, created the /home/me/.ssh
directory with permissions 700
on the .ssh
directory itself, and 600
on the authorized_keys
file. Then I tried ssh me@x.x.x.x
. That didn't work either.
Restarting the ssh daemon doesn't change anything either.
What am I missing?
Edit:
Here is verbose ssh output.
https://gist.github.com/jaesung2061/a37cfd68308414cede8abf7f0137daa9
Edit 2:
LogLevel DEBUG3
output:
Best Answer
Client Configuration
Set up
~/.ssh/config
Setting up host entries for
ssh
is really easy and will save you a lot of trouble. Here is an example:In this example, we setup
digitaloceanbox
andgithub
andgithub.com
so that we can do the following commands:ssh github
ssh digitaloceanbox
If we want to login as a different user than the one specified in the config file, we just put
user@
at the begining:ssh user@digitaloceanbox
Generating
ssh
keysNote that I've specified the full path of the private key I want to generate when prompted by
ssh-keygen
. I've also defined the comment (-C
) which allows me to easily identify keys on remote machines.This will create two files:
.ssh/digitalocean-rsa
.ssh/digitalocean-rsa.pub
When you provide your
ssh
key, be sure it's the.pub
version!! When you add to your~/.ssh/config
, be sure to add the correct private key that matches the public key you added to the system.Server Configuration
Most installations will come with Public Key Authentication enabled. If you start doing things all willy nilly, you might run into a few problems, however. At where the OP is in their problem, I recommend that the OP deletes the
/root/.ssh/
directory to start over.It is not recommended that you use
ssh
to access the root user on the remote system. It is recommended that youssh
into another user, and then escalate to root using your password (sudo su -
).Add keys to host using
ssh-copy-id
Regardless of whether you decide to create another user and use
ssh
as that user, or the root user, the following is the recommended way of placingssh
keys on a server:ssh-copy-id -i /home/user/.ssh/digitalocean-rsa.pub user@digitaloceanbox
This allows
sshd
to create the directory and files needed with the permissions needed. This means there is zero chance for you to mess up permissions or needing to remember the details. Just use the tool to upload the keys.Disable Password Authentication
That being said, once you have key'd yourself and verified that you are able to connect using the keys, it is recommended that you disable Password Authentication in
sshd
and restart the service:/etc/ssh/sshd_config
PasswordAuthentication no
sudo systemctl restart sshd
What about new users?
If you disable Password Authentication, how can you key new users? One way is to add template files to the
/etc/skel
directory. Once you've key'd one user, do the following:sudo cp -r .ssh/ /etc/skel/
ls /etc/skel/.ssh
/etc/skel/.ssh/
so that they are blank, unless you want to automatically key yourself for every newly created user.When you create new users with
sudo useradd -m newuser
, that user will have the.ssh/authorized_keys
, which you can edit and will have the proper permissions.Debugging
You can watch the
sshd
log file to see why connections fail or get refused:sudo tail -f /var/log/auth.log
While you're running this command, use another terminal to attempt a login. Many times the messages provided are good enough to help pinpoint the problem, or find a solution online.