Fix SSH Permission Denied with Public Key Authentication

Linux & Unix Intermediate 👁 0 views 📅 May 25, 2026

SSH public key authentication fails with 'Permission denied (publickey)' due to incorrect file permissions, wrong key placement, or SSH config issues. This guide covers diagnosis and resolution.

Symptoms

When attempting to connect via SSH using public key authentication, you receive the error: Permission denied (publickey). The connection fails even though the correct private key is specified and the public key has been added to the remote server's ~/.ssh/authorized_keys file. This issue can occur on any Linux or Unix system.

Root Causes

The most common causes are:

  • Incorrect file permissions on the ~/.ssh directory or authorized_keys file on the server.
  • Wrong ownership of the .ssh directory or files.
  • Incorrect SSH daemon configuration (e.g., PubkeyAuthentication set to no).
  • Public key not properly appended to authorized_keys (e.g., missing newline, extra whitespace).
  • SELinux or AppArmor blocking access.
  • Home directory permissions too permissive (e.g., world-writable).

Step-by-Step Fix

1. Verify SSH Server Configuration

On the remote server, check /etc/ssh/sshd_config for the following lines:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no (optional, but ensure key auth is enabled)

After editing, restart SSH: sudo systemctl restart sshd (or sudo service ssh restart).

2. Set Correct Permissions on Server

Log in as the user (or use root) and run:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~ (home directory must not be writable by group/others)

3. Verify Ownership

Ensure the .ssh directory and files are owned by the user:

chown user:user ~/.ssh
chown user:user ~/.ssh/authorized_keys

4. Check the authorized_keys File

Open ~/.ssh/authorized_keys and confirm the public key is on a single line, no extra spaces, and ends with a newline. The format should be:

ssh-rsa AAAAB3NzaC1yc2E... user@host

5. Enable Verbose SSH Logging

From the client, run: ssh -vvv user@server. Look for lines like:

  • debug1: Authentication refused: bad ownership or modes
  • debug1: Offering public key

This pinpoints permission issues.

6. Check SELinux/AppArmor

If SELinux is enforcing, restore contexts:

restorecon -Rv ~/.ssh

For AppArmor, check logs in /var/log/syslog for denials.

Alternative Fixes

  • Use ssh-copy-id: Run ssh-copy-id user@server to automatically set correct permissions.
  • Manually copy key: cat ~/.ssh/id_rsa.pub | ssh user@server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
  • Disable strict modes: In sshd_config, set StrictModes no (not recommended for security).
  • Check home directory: Ensure ~ is not group or world writable (chmod go-w ~).

Prevention

  • Always use ssh-copy-id to add keys.
  • Set StrictModes yes in sshd_config to enforce permission checks.
  • Regularly audit .ssh permissions with ls -la ~/.ssh.
  • Use configuration management (Ansible, Puppet) to enforce correct permissions across servers.
  • Monitor SSH logs (/var/log/auth.log or /var/log/secure) for repeated failures.

By following these steps, you can resolve SSH public key authentication failures and ensure secure, reliable key-based logins.

Was this solution helpful?

SSH public key authentication permission denied authorized_keys chmod sshd_config key permissions Linux Unix troubleshooting secure shell