The SSH “Permission denied (publickey)” message appears when the server rejects every public key your SSH client offers. Usually, the client has the wrong username, has picked the wrong private key, or hasn’t loaded the key it needs.
Fastest fix: give SSH the remote account and private key explicitly. If that still fails, turn on verbose output and see what the client is actually doing.
ssh -i ~/.ssh/id_ed25519 username@server-ip
ssh -vvv -i ~/.ssh/id_ed25519 username@server-ipReplace username with the account that owns the matching public key on the server. On cloud systems, that account is often ubuntu, ec2-user, debian, or azureuser.
Quick Fix Checklist
- Check the SSH username and server address.
- Use
-ito tell SSH which private key to try. - Set the local private key permission to
600. - Make sure the matching public key is in the remote account’s
~/.ssh/authorized_keysfile. - Fix ownership and permissions on the server.
- Run
ssh -vvvto see which key is being offered and why the server refuses it.
Why SSH Returns “Permission denied (publickey)”
Public-key authentication depends on a matching key pair. Your client proves it has the private key, while the server searches for the corresponding public key under the remote user’s account. If the account, key pair, permissions, or SSH configuration doesn’t line up, authentication stops there.
| Cause | Typical sign |
|---|---|
| Wrong remote username | A valid key works for another account |
| Wrong private key | Verbose output shows SSH offering an unexpected key |
| Unsafe permissions | SSH ignores the private key or the authorized_keys file |
| Missing public key | The server rejects the correct private key |
| Server configuration | Public-key authentication is disabled or points to another key path |
Work Through the Fix
1. Check the Remote Username
SSH checks the keys belonging to the account named in your connection command. So a key installed for ubuntu won’t automatically let you sign in as root, or as any other user.
ssh ubuntu@203.0.113.10
ssh ec2-user@203.0.113.10
ssh admin@example.comIf you don’t know the default account, check the hosting provider’s documentation or the server deployment record. Don’t assume root login is available. Quite often, it isn’t.
2. Choose the Right Private Key
Use -i so SSH doesn’t have to guess which identity it should offer:
ssh -i ~/.ssh/project_ed25519 username@server-ipThen confirm that the public half of that key is the one installed on the server.
ssh-keygen -y -f ~/.ssh/project_ed25519
ssh-keygen -lf ~/.ssh/project_ed25519.pubThe first command derives a public key from the private key. Compare that output with the entry in the server’s authorized_keys file.
3. Tighten the Local Key Permissions
OpenSSH may refuse to use a private key if other users can read it. On Linux or macOS, set restrictive permissions on the directory and files:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/project_ed25519
chmod 644 ~/.ssh/project_ed25519.pubOwnership matters too. Check that the files belong to your local account:
ls -la ~/.ssh4. Inspect the SSH Agent
If you normally connect without -i, see which identities the SSH agent has loaded:
ssh-add -lMissing key? Start the agent and add the private key yourself.
eval $(ssh-agent -s)
ssh-add ~/.ssh/project_ed25519An agent carrying a lot of keys can cause another problem: the server may disconnect before SSH gets around to trying the correct one. In that case, name the key and limit the client to that identity.
ssh -o IdentitiesOnly=yes -i ~/.ssh/project_ed25519 username@server-ip5. Put the Public Key on the Server
If password login still works, copy the public key with ssh-copy-id:
ssh-copy-id -i ~/.ssh/project_ed25519.pub username@server-ipIf password authentication has been disabled, you’ll need another route in. Use the hosting provider’s web console, a recovery console, or an administrator session that already works. Append the public key, as one uninterrupted line, to:
/home/username/.ssh/authorized_keysDon’t copy the private key to the server. Only the file ending in .pub, or the public-key content from that file, belongs in authorized_keys.
6. Repair Server Ownership and Permissions
Run the following commands from the affected account or through an administrative console. Replace username and its group where needed.
sudo chown -R username:username /home/username/.ssh
sudo chmod 700 /home/username/.ssh
sudo chmod 600 /home/username/.ssh/authorized_keys
sudo chmod go-w /home/usernameOn an SELinux-enabled distribution, such as RHEL, Rocky Linux, AlmaLinux, or Fedora, restore the expected security context as well:
sudo restorecon -Rv /home/username/.ssh7. Check the SSH Server Settings
Look at the effective OpenSSH server settings rather than trusting comments in the configuration file. Comments can be stale, or an included file may be changing the result.
sudo sshd -T | grep -E 'pubkeyauthentication|authorizedkeysfile'Normally, the output should include pubkeyauthentication yes and an authorized-key path such as .ssh/authorized_keys. If you change the configuration, validate it before reloading SSH.
sudo sshd -t
sudo systemctl reload sshdDebian and Ubuntu may use ssh as the service name instead:
sudo systemctl reload sshKeep your current console or SSH session open while you test. A bad configuration change can lock you out, and that existing session may be the only easy way back in.
Read the Verbose SSH Output
ssh -vvv -o IdentitiesOnly=yes -i ~/.ssh/project_ed25519 username@server-ipWatch for lines containing Offering public key and Server accepts key. If the expected key never gets offered, the fault is probably on the client side. If SSH offers the right key and the server rejects it, check the username, the server’s public-key entry, file permissions, and the SSH logs.
Depending on the distribution, authentication messages may appear in one of these locations:
sudo journalctl -u sshd --since '10 minutes ago'
sudo journalctl -u ssh --since '10 minutes ago'
sudo tail -f /var/log/auth.logSave the Working Connection
Once the connection works, save the account and identity in ~/.ssh/config. That way, you don’t have to type the full command every time.
Host project-server
HostName 203.0.113.10
User ubuntu
IdentityFile ~/.ssh/project_ed25519
IdentitiesOnly yesSet the configuration file permission, then connect through the alias:
chmod 600 ~/.ssh/config
ssh project-serverMistakes That Commonly Cause This Error
- Putting the public key in the wrong user’s home directory.
- Using a cloud instance name instead of a reachable IP address or hostname.
- Copying the private key into
authorized_keys. - Splitting one public key across multiple lines.
- Closing the only working server session before testing configuration changes.
- Making
~/.sshorauthorized_keysworld-writable.
Confirm That Authentication Works
Run a non-interactive command over SSH:
ssh -o IdentitiesOnly=yes -i ~/.ssh/project_ed25519 username@server-ip 'whoami'If authentication succeeds, the command prints the remote username. You can then use the same identity with SCP, SFTP, Git, automation tools, or the SSH configuration you saved.




