Fix SSH Permission Denied with Public Key Authentication

Linux & Unix Intermediate 👁 0 views 📅 May 25, 2026

SSH public key authentication fails with 'Permission denied' despite correct keys. This guide covers common causes like file permissions, SSH config settings, and SELinux restrictions.

Symptoms

When attempting to connect to a Linux or Unix server via SSH using public key authentication, the connection fails with the message 'Permission denied (publickey)'. The client may have the correct private key, but the server rejects the authentication attempt. This often occurs after initial setup or system configuration changes.

Root Causes

The most common causes include:

  • Incorrect permissions on the ~/.ssh directory or authorized_keys file
  • Wrong ownership of the .ssh directory or files
  • SSH daemon configuration disabling public key authentication
  • SELinux or AppArmor restrictions blocking key-based login
  • Incorrect key format or mismatched key pair
  • Home directory permissions too permissive (group/world writable)

Step-by-Step Fix

Step 1: Verify SSH Daemon Configuration

On the server, check /etc/ssh/sshd_config for the following lines:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no (optional but ensure PubkeyAuthentication is yes)

If you make changes, restart SSH: sudo systemctl restart sshd or sudo service ssh restart.

Step 2: Check Permissions on Server

Log in to the server (via console or alternative method) and run:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 755 ~

Ensure the home directory is not writable by group or others: chmod go-w ~.

Step 3: Verify Ownership

Ensure the .ssh directory and authorized_keys file are owned by the user:

sudo chown -R $USER:$USER ~/.ssh

Step 4: Check SELinux Context (if enabled)

If SELinux is enforcing, restore default contexts:

restorecon -R -v ~/.ssh

Or set them manually:

chcon -R -t ssh_home_t ~/.ssh

Step 5: Test with Verbose Output

From the client, run SSH with verbose logging to identify the issue:

ssh -vvv user@server

Look for lines like 'Authentication refused: bad permissions' or 'debug1: Authentications that can continue: publickey'.

Step 6: Verify Key Pair

Ensure the public key in authorized_keys matches the private key on the client. Compare the key fingerprint:

ssh-keygen -lf ~/.ssh/id_rsa.pub
ssh-keygen -lf ~/.ssh/id_rsa

They should match.

Alternative Fixes

  • Use ssh-copy-id: Run ssh-copy-id user@server to automatically copy and set permissions.
  • Check for multiple keys: If the client has multiple keys, specify the correct one with ssh -i ~/.ssh/id_rsa user@server.
  • Disable SELinux temporarily: sudo setenforce 0 (for testing only; re-enable after fix).
  • Enable password authentication temporarily: Set PasswordAuthentication yes in sshd_config to allow login and fix permissions.

Prevention

  • Always use ssh-copy-id to set up keys initially.
  • Set up a configuration management tool (e.g., Ansible) to enforce correct permissions.
  • Regularly audit SSH configurations and permissions.
  • Keep SELinux or AppArmor enabled and properly configured.
  • Document SSH setup procedures for your team.

By following these steps, you should be able to resolve most SSH public key authentication permission denied errors. If the issue persists, check system logs (/var/log/auth.log or /var/log/secure) for more details.

Was this solution helpful?

SSH public key authentication permission denied authorized_keys chmod sshd_config SELinux home directory permissions .ssh directory key permissions Linux Unix troubleshooting secure shell authentication failure