Fix for SSH Permission Denied (Public Key)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video I want to talk about steps you can take when you attempt to SSH into a remote server or system using SSH Keys as your authentication method and it fails specifically when it fails with the error permission denied public key now to understand why this is failing let's first talk big picture of how SSH Keys work and for this I'm going to actually refer to another guide I have on setting up SSH keys because there's a useful graphic down here that visualizes the whole process so looking at this the way that SSH Keys work is you have what's referred to as a key pair that contains two keys a private key and a public key and the private key needs to exist on your computer or whatever system you're connecting from and the public key has to exist on the server or system that you're connecting to and when you attempt to make an SSH connection between these systems the SSH protocol is going to read these keys and look for a match and assuming it finds a match it's going to authenticate you and allow you to have access to to that server knowing this if you're attempting to connect and it's failing we basically have to check these two keys we have to make sure that they're a match we have to make sure they exist in the appropriate location on both systems and finally we want to make sure that when you're attempting to make the connection your system that you're connecting from is actually trying to use the keys that you've specified so with those checks in mind let's go through that process and check each of those things and to do this I'm going to go back to the notes for this guide and I'm going to start down here with step number one making sure that your keys are a match and the first thing we want to do here is move into our computers SSH directory where our keys should be generated so I'm going to bring up my command line window I'm going to change into my home directory and that dot SSH directory and I'm going to run a list command to see the contents and from this output you just want to confirm that you have the keys that you're expecting the ones that you generated when setting up the SSH connection and for this example I'm going to focus on this last pair I have in this directory called Susan's MacBook this is the key pair I'm going to be using to attempt to connect to my server alright so I see those two files exist the file without the extension is the private key that's the one that must exist on the computer you're connecting from and then the public key is the one that a copy of this needs to be installed on the server you're connecting to and I'll talk about that in a moment but before we do that I want to just first make sure that these keys are actually a match and the way you can do that if we go back to the notes there's a command we can run that is going to basically interpret the private key and output with the corresponding public key should be and we can look at that output and compare it against the contents of our public key and make sure that they're actually a match all right so to do that I'm going to run this SSH Keygen command there's a few Flags added there and then you just want to follow that up with the name of your private key so I'm going to run that all right so this is telling me for that private key this is the corresponding public key that it's expecting so let's now look at our public key contents and make sure that it's a match so I'll just use the cat command here that'll just output the contents of the public key file and from this output we want to focus on the key itself so that starts with these characters and goes all the way down here to this equal sign and if we look at the output from above we can see that this is a match so you can see the key starts with four A's b3n Etc we see the same thing down here you can see the ending of the key it ends with this 6K equals we can see that here and we can assume that everything else in the middle is a match so since that checks out let's move on to our next step which is making sure that our SSH protocol is actually attempting to use this key pair and the way we're going to do that is if we look at the directory contents of our SSH directory again we should have this file called config this is our SSH config file and I'm going to just open it up here in command line using the nanotext editor so I'm going to say Nano config and within this file we want to make sure we have a line called identity file and it should specify the path to our private key and in my case you can see I've got that line there I can double check that the path is correct everything looks good there so I don't need to make any changes here I just want to check that this exists and again this will just make it so that when we attempt to make an SSH connection it's going to attempt to use this key now I should note this is only necessary if when you generated your keys you gave them a custom name if you use the default name it prompts you to use which is idrsa you don't have to have this line in your config file because it's always going to attempt to use a key called idrsa because it is the default so this step is only necessary if you came up with a custom key name all right in my case it checks out so I'm going to exit out of Nano and then the next thing I'm going to do is actually attempt the SSH connection but I'm going to add a dash V flag to my SSH command this is short for verbose and what this is going to do is just give me extra debugging information about the connection specifically when it fails so that I can look at that information and make sure it is actually attempting to use the key pair that I'm expecting all right so let's attempt a connection here I'm going to connect to the server I'm working with in this example just under my root username of course you would want to change this for whatever username you're connecting at and then you want to follow that up with the IP address or the server name that you're connecting to and you can see here's all that debugging output we get from that Dash V flag and we just want to skim through here and make sure we see reference to the key pair we're expecting right so here's that reference to my Susan's MacBook private key within my home directory's SSH directory so it looks like that was offered it did use that which means I did set up my config file correctly but obviously the connection is still failing so we've still got a problem here and at this point I've reached the end of the things I can check on my computer in terms of why it might be failing so now I have to turn my attention to the server I'm attempting to connect to and see what might be wrong there and specifically the first thing I want to check coming back to our diagram is I want to make sure that I properly installed the corresponding public key on the server now the tricky part about this is in order to check that this public key exists on the server I have to be able to connect to the server and obviously right now I am not able to do that my attempts to connect are failing so how do we do that well there's a few different options option one might be you might have some other computer that is able to connect to the server right let's say you had an existing word computer or that had a SSH key set up with the server fine you're able to connect and what you're trying to set up now is just maybe a new computer or a private computer something like that in that case you would want to go on the computer that already has access and connect to that server so that you can check the public keys or alternatively maybe you have a colleague that has access to the server that can get in and check them for you uh if you don't have that as an option let's say it's a brand new server you don't already have a computer that's connected to it another thing you might be able to do is to connect and authenticate using a username and password now in my case that's not possible because as you saw when I attempt to connect to the server it just failed right it failed it tried to use the SSH Keys it wasn't able to connect it never actually prompted for a username and password and that's because this server is configured to actually not allow username and password logins just because they're considered less secure than an SSH connection um now that's not going to be the case on all servers you might see that when you go to ssh in it fails because your SSA keys aren't working but it then prompts you for a username and password and if you know what that information is well that's how you could log in and then you could check your keys let's say it's asking for your username and password but you're not sure what it is what your your authentication password is for your server oftentimes you can find that information out from your server provider and just to demonstrate this let me go back and go to my server provider just as an example this is digitalocean.com I'm currently logged into my control panel and the server I'm trying to connect to is this one right here called demo so if I go into my options here there's an option called access and then within here there's an option to reset my root password and if I did this it would actually email me a new password I could use to connect to the server and the first time I connect it would prompt me to reset that password just for security purposes so that is one option um but again in my case this wouldn't even be an option I could use because even if I knew what a password was for that root user because password authentication is disabled I wouldn't be able to do that so knowing that that brings me to the third and final way that we can get access to of the server and that's via my server provider itself in the case of digitalocean it provides this option called console you can see more information about it here and what this is going to do is it's going to provide terminal like access to my server via my web browser and let me show you what it looks like so let's go ahead and launch the console you can see it's connecting to my server and now I'm connected and I've got command line access to my server all right so definitely look around around in your server provider for options for whether it be resetting your user's password or accessing some sort of web console it might be called something else and different providers but many providers provide this as an option as essentially an emergency way to get access to your server if you're otherwise locked out which we currently are all right so let me bring that back up let me bring back that window that's connected to my server and now that we're on the server we want to check and make sure that our public SSH key is properly installed on the server and the way we're going to do that is we're going to again go to a SSH directory in the home directory of course this time it's not on our computer we're dialed into our server and then within here we want to look for a file called authorized keys this is where public keys that have access to the server should be placed so go ahead and open that with Nano and looking through here you can see there's one key that's here but there's a comment here it says it was added and managed by digitalocean droplet agent so this key was actually added by digitalocean when I loaded the console that's what gives me access to the server via this console but that's not the key we're trying to connect with if we go back to my terminal window and look at the contents of my Susan's MacBook dot Pub Key this is the key that we should see in that file in order to have that access using this key pair and that's clearly not there so in my case this is my problem this is why I'm not able to connect because the corresponding public key is not on the server as expected so let's fix that I'm going to go back and copy the contents of that key starting with SSH RSA all the way to the end of the identifier I gave to that key basically the full contents copy that go back to the web console paste it in and then I'm going to save my changes in Nano and the way we do that is we hold down control X we type y to confirm we hit enter all right let's just double check that I'll use the cat command to look at the content contents of my authorized key file and that looks good so the first few lines are for the console key and then following that on its own line is the key for my computer all right so let's uh exit the console come back to my terminal window and let's attempt our SSH connection again and hopefully it should work this time so I'm just going to use the up arrow and go back to my SSH command I had used previously I'll leave the verbose flag in there there's no harm in having it output debugging information but I think it should connect this time so let's give it a shot and perfect there we go so we could see the prop for our server we're no longer seeing that permission denied error looks like the problem was fixed and in my case it was just a matter of not having that public key properly installed on the server and hopefully along the way this uh solved your problem as well but if not just a recap of the steps that we took the first thing we did is just making sure on our computer that our keys existed and that they were a match with one another we also had to make sure that our local SSH protocol on our computer was attempting to use our key especially if we used a custom key name and then finally we just had to make sure that our public key was properly placed within that authorized key file on the remote server that we were connecting to

Info

Channel: Susan B.

Views: 62,499

Rating: undefined out of 5

Keywords:

Id: A9CSSbten_s

Channel Id: undefined

Length: 12min 57sec (777 seconds)

Published: Fri Nov 04 2022