ssh : Permission denied (publickey,gssapi-with-mic)

According to the line debug1: Authentications that can continue: publickey,gssapi-with-mic , ssh password authentication is disabled and apparently you are not using public key authentication.

Login to your server using console and open /etc/ssh/sshd_config file with an editor with root user and look for line PasswordAuthentication then set it's value to yes and finally restart sshd service.

I had the same issue while using vagrant. So from my Mac I was trying to ssh to a vagrant box (CentOS 7)

Solved it by amending the /etc/ssh/sshd_config PasswordAuthentication yes then re-started the service using sudo systemctl restart sshd

Hope this helps.

fixed by setting GSSAPIAuthentication to no in /etc/ssh/sshd_config

In Centos 7

Error : publickey,gssapi-keyex,gssapi-with-mic

Ans : Root access to vi /etc/ssh/sshd_config and change the PasswordAuthentication ( no ) to yes.

2 . Restart the sshd services

root> systemctl restart sshd.service

3. Logon into local id via putty without key.

As everybody else has already said you need to edit /etc/ssh/sshd_config and change PasswordAuthentication no to PasswordAuthentication yes

I ran into this problem setting up a Vagrant box - so therefore it makes sense to script this and do it automatically in a shell provisioner:

sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config;

sudo systemctl restart sshd;

Tried a lot of things, it did not help.

It get access in a simple way:

eval $(ssh-agent) > /dev/null
killall ssh-agent
eval `ssh-agent`
ssh-add ~/.ssh/id_rsa

Note that at the end of the ssh-add -L output must be not a path to the key, but your email.

Setting 700 to .ssh and 600 to authorized_keys solved the issue.

chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

Maybe you should assign the public key to the authorized_keys, the simple way to do this is using ssh-copy-id -i your-pub-key-file user@dest.

Setting PasswordAuthentication to yes, is not the best way to go , is not as secure as using private and public keys for authentication !

First make sure that that you have the fallowing permissions set, on the server side.

First check your home dir (SERVER SIDE)

[vini@random ~]$ ls -ld ~


drwx------. 3 vini vini 127 Nov 23 15:29 /home/vini

if it is not like this, run

chmod 0700 /home/your_home

Now check .ssh folder

[vini@random ~]$ ls -ld  /home/vini/.ssh/


drwx------. 2 vini vini 29 Nov 23 15:28 /home/vini/.ssh/

if it is not looking like this, run

chmod 0700 /home/your_home/.ssh

now make sure that authorized_keys looks like this

[vini@venon ~]$ ls -ld  /home/vini/.ssh/authorized_keys


-rw-------. 1 vini vini 393 Nov 23 15:28 /home/vini/.ssh/authorized_keys

or just run

chmod 0600 /home/your_home/.ssh/authorized_keys

After that go to /etc/ssh/sshd_config

For best security set

PermitRootLogin no


PubkeyAuthentication yes

keep as yes for testing purposes

PasswordAuthentication yes

Make sure that

ChallengeResponseAuthentication no

Comment those lines for GSSAPI

# #GSSAPIAuthentication yes
# #GSSAPICleanupCredentials no

Make sure that is set to UsePAM yes

UsePAM yes

now restart sshd service

systemctl restart sshd

on the client side

cd /home/your_home/.ssh

generate new keys; setting a password is optional but is a good idea

ssh-keygen -t rsa -b 2048

copy pub key to your server

ssh-copy-id -i id_rsa.pub user_name@server_ip


start ssh agent


eval $(ssh-agent)


ssh-add /home/user/.ssh/your_private_key

now your are good to go !

ssh user_name@server_ip

if everything works just fine

make a backup of your private key and then deny PasswordAuthentication

PasswordAuthentication no

Restart you server

now anyone trying to ssh into your server, without your keys should get

vini@random: Permission denied (publickey).

keep script kids away from your business, and good luck

please make sure following changes should be uncommented, which I did and got succeed in centos7

vi /etc/ssh/sshd_config


1.PubkeyAuthentication yes


2.PasswordAuthentication yes


3.GSSAPIKeyExchange no


4.GSSAPICleanupCredentials no


systemctl restart sshd


ssh-keygen


chmod 777 /root/.ssh/id_rsa.pub


ssh-copy-id -i /root/.ssh/id_rsa.pub user@ipaddress

thank you all and good luck

And I think this will clearify the cause of posted problem, actualy this is bug of pssh itself (contains inside "askpass-client.py"). It is pssh's lib file. And there is documented issue for -A case: https://code.google.com/archive/p/parallel-ssh/issues/80 There are two possible resolutions to use version of pssh containing this bug in case you forced to use passphrase for private key access:

1. Correct your "askpass-client.py" as described in link listed before in my post.
2. Using your favorite pass keeper.

Thnks for attention, hope it helps!

I try

rm ~/.ssh/id_rsa.pub

then it work!

Nobody has mention this in. above answers so i am mentioning it.

This error can also come if you're in the wrong folder or path of your pem file is not correct. I was having similar issue and found that my pem file was not there from where i am executing the ssh command

cd KeyPair
ssh -i Keypair.pem ec2-user@244.255.255.255

I had the same problem. In my case, macOS doesn't load my SSH keys, but I fix it with:

ssh-add <SSH private key>
ssh-add <SSH public key>

I couldn't connect to a Droplet on DigitalOcean, but the subsequent commands work for me.

You can go to the forum here.

First a password login has to be established to remote machine

• Firstly make a password login

you have to enable a password login by enabling the property ie) PasswordAuthentication yes in sshd_config file.Then restart the sshd service and copy the pub key to remote server (aws ec2 in my case), key will be copied without any error

• Without password login works if and only if password login is made first
• copy the pub key contents to authorised keys, cat xxx.pub >> ~/.ssh/authorized_keys

This can happen if you are missing the correct id_rsa key set up in authorized_keys for an AWS instance.

Exact error I got (this article came up when I googled the error):

ec2-user@X.X.X.X: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Note: If you have many keys, you have to either specify the key on the ssh command line or else add it to you ssh-agent keys (see ssh-add -l). Only the first 6 keys from ssh-agent may work - the default sshd MaxAuthTries config value is 6.

Hope, this will help someone. Problem I encountered is, I was completely using wrong key with the IP. Make sure you are using the right key for the right IP

For me it is a completely mistake, someone copy paste the key into the same row with another key, after separating them into two different lines then it works again, so check if your authorized_key file has similar mistakes !

I had same issue Permission denied (publickey, gssapi-keyex, gssapi-with-mic) earlier.

I had to go /etc/ssh/sshd_config to add the user user into AllowUsers section, then restarted sshd service.

Let me share with you how I did it and I am sure you will find good answer here.

Make sure the following

Step 1. You have Public DNS (IPv4) from aws E.g ec2-IPV4.us-east-2.compute.amazonaws.com

Step 2. You remember where your your_secret_key_is.pem E.g its better to keep it far from root of the known folders like Downloads, Desktop or Documents

Step 3 Open terminal and add the command sudo ssh -v -i path-to-key.pem ec2-user@host

ec2-user is important because it for some linux server it is the username

sudo it needs permission to execute

host It is Amazon Public DNS (IPv4) (copy step 1)

Find more info here

I know this is an old question, but thought I'd add my fix in the pot.

I was getting the same error trying to connect to Amazon Linux from Ubuntu. The solution was to simply change this:

ssh-add -c <key_location>.pem

to this:

ssh-add "<key_location>.pem"

... pretty simple change there got me in.

Permission denied (publickey)

seems like an issue generated by the ssh client rather than the ssh server in my case. Here's what caused my problem and how I solved. The problem source is I used sudo to generate the keys like this:

sudo ssh-keygen -t ed25519 -f ~/.ssh/serverA_ed25519_key

This automatically set the owner of these key files to root only, so my current user doesn't have permission to read the keys.

Now solution #1 is change the file ownership to your current user. This's what I did.

sudo chown CURRENT_USER ~/.ssh/serverA_ed25519_key

Solution #2 would be just run ssh client with sudo when you try to connect to the ssh server.

Finally, a trick to find the source of problem with ssh client.

ssh -v -o IdentitiesOnly=yes -i ~/.ssh/serverA_ed25519_key me@serverA

This let me focus on the problem by:

• show verbose info by -v flag.
• the -o option and -i ~/.ssh/serverA_ed25519_key force ssh client to try with this key ONLY, not all the keys you have.

I also have this error info : Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Using cmd: ssh -i "~/.ssh/old.pem" user@ip cause the error.

Problem is old.pem has been deprecated， after changing to newest pem file， the error disappears.

In my case, I was using wrong username. Fixed that and the issue got resolved.

As a few others have mentioned, make sure you are using the right private key when you ssh into your server. I had multiple ssh private keys set up in my directory, so it was defaulting to a different key. To ssh with the correct key call it out in your CLI call ssh centos@IP-ADDRESS -i YOUR-PATH-TO-KEY, in my case the path was ~/.ssh/id_rsa

The isssue is the username for most publickey errors on centos instances on AWS. For Permission denied (publickey,gssapi-keyex,gssapi-with-mic):

its pretty simple. Just change your username from centos to ec2-user and the issue is solved.

Thank me later :)

The issue is simple, the owner for the key should be one in case if windows ( Just remove other users and keep only one or deny other users permissions) for linux/Mac just do a chmod 400 as this will only give read permission only to the user and no permission to groups or public.

I run into this strange error whiles connecting from my Mac(host) to a CentOS(7.9) guest. I had to explicitly passed the key file to the ssh client ssh root@ip -i private_key_file before connection was successful.

Earlier on, I had enabled the following after the usual key generation with ssh-keygen and copying with ssh-copy-id

PermitRootLogin yes #Logging in with root, it was set by default
PasswordAuthentication no

I decided against using the default name provided by ssh-keygen though the generated file was saved at the same location as the default.

I left the other default values untouched. Don't forget to restart sshd on the remote machine.

I got Sucess !! I've copied my ssh_keys from my other machine and tryed to log to my AWS EC2, but it failed:

sign_and_send_pubkey: signing failed for RSA "/home/xxxx/.ssh/my_rsa" from agent: agent refused operation ec2-user@bla-blah-blah.zzzzz.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

The solution was:

cd $HOME/.ssh

ls -l

-r-x------ 1 xxxx xxxx 1766 May 4 09:13 id_rsa

-r-x------ 1 xxxx xxxx 405 May 4 09:13 id_rsa.pub

-rw-r--r-- 1 xxxx xxxx 444 May 6 17:18 known_hosts

Optional command: rm known_hosts

chmod 400 id*

ssh -i ./id_rsa.pub ec2-user@bla-blah-blah.zzzzz.amazonaws.com

Last login: Fri May 6 19:09:48 2022 from 123.456.77.9

   __|  __|_  )
_|  (     /   Amazon Linux 2 AMI
___|\___|___|

Just run this to add your key to localhost of current user.

 ssh-copy-id localhost

In my case the problem was selinux. It was just disabling it.

vi /etc/sysconfig/selinux SELINUX=disabled

setenforce 0;

sestatus;

I know this reply is drowned into the abyss of answers, but I think it's still relevant to share my team's use case : the error can also be triggered because the target instance is incorrect. As simple as that.