Linux SSH Key Errors — Agent Forwarding, Host Key & Permission Denied (publickey)
About Linux SSH Key Errors
Fix SSH key errors including 'Permission denied (publickey)', host key verification failed, agent forwarding issues, and key format incompatibilities. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: 'Permission denied (publickey)' means the server rejected all offered keys. Host key verification failed: server's host key changed (possible MITM or server reinstall). SSH keys must have strict permissions: private key 600, .ssh dir 700. ssh-agent stores decrypted keys in memory for convenient reuse. Agent forwarding (-A) allows using local keys on remote servers but has security implications. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Public key not in ~/.ssh/authorized_keys on the server. Wrong permissions on private key file (must be 600 or more restrictive). SSH server configured to reject the key type (e.g., RSA disabled, only Ed25519 accepted). Wrong user: trying to SSH as user A but key is authorized for user B. Server host key changed: legitimate (reinstall) or suspicious (MITM). Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Debug connection: ssh -vvv user@host to see which keys are offered and rejected. Fix key permissions: chmod 600 ~/.ssh/id_rsa && chmod 700 ~/.ssh. Copy key to server: ssh-copy-id user@host (adds your public key to authorized_keys). For host key change: ssh-keygen -R hostname (removes old host key from known_hosts). Check sshd config: cat /etc/ssh/sshd_config — look for PubkeyAuthentication and AuthorizedKeysFile. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Why does 'Permission denied (publickey)' happen?
The server does not have your public key, or the key file has wrong permissions. Use ssh -vvv to debug and ssh-copy-id to install keys.
Overview
Fix SSH key errors including 'Permission denied (publickey)', host key verification failed, agent forwarding issues, and key format incompatibilities.
Key Details
- 'Permission denied (publickey)' means the server rejected all offered keys
- Host key verification failed: server's host key changed (possible MITM or server reinstall)
- SSH keys must have strict permissions: private key 600, .ssh dir 700
- ssh-agent stores decrypted keys in memory for convenient reuse
- Agent forwarding (-A) allows using local keys on remote servers but has security implications
Common Causes
- Public key not in ~/.ssh/authorized_keys on the server
- Wrong permissions on private key file (must be 600 or more restrictive)
- SSH server configured to reject the key type (e.g., RSA disabled, only Ed25519 accepted)
- Wrong user: trying to SSH as user A but key is authorized for user B
- Server host key changed: legitimate (reinstall) or suspicious (MITM)
Steps
- 1Debug connection: ssh -vvv user@host to see which keys are offered and rejected
- 2Fix key permissions: chmod 600 ~/.ssh/id_rsa && chmod 700 ~/.ssh
- 3Copy key to server: ssh-copy-id user@host (adds your public key to authorized_keys)
- 4For host key change: ssh-keygen -R hostname (removes old host key from known_hosts)
- 5Check sshd config: cat /etc/ssh/sshd_config — look for PubkeyAuthentication and AuthorizedKeysFile