Permission denied (publickey)
This error matches known, documented patterns with reliable solutions.
Quick Fix (Most Common Solution)
- Add key to ~/.ssh/authorized_keys
- Set correct permissions (chmod 600)
Seeing "Permission denied (publickey)"? This error can be frustrating, but it's usually fixable. It typically affects your development workflow or system. Below you'll find clear, step-by-step solutions to resolve this issue.
What This Error Means
The server rejected your SSH key authentication.
Frequently documented in developer and vendor support forums.
Not affiliated with browser, OS, or device manufacturers.
New here? Learn why exact error messages matter →
Common Causes
- Wrong key file
- Key not in authorized_keys
- Incorrect file permissions
How to Fix
- Add key to ~/.ssh/authorized_keys
- Set correct permissions (chmod 600)
- Specify correct key with -i flag
Last reviewed: March 2026 How we review solutions
Why This Happens
SSH "Permission denied (publickey)" means the SSH server rejected all authentication methods your client offered, and only public key authentication was available. The SSH handshake involves the client presenting a public key, the server checking if that key appears in the target user's ~/.ssh/authorized_keys file, and then the client proving it holds the matching private key. A failure at any of these steps produces this error. The most common cause is incorrect file permissions: OpenSSH is deliberately strict—if the ~/.ssh directory is world-readable (permissions above 700) or the private key file is readable by others (permissions above 600), the SSH client refuses to use the key as a security precaution. The second most common cause is the public key not being present in authorized_keys on the server. This happens after server reinstalls, user account recreation, or when you generated a new key pair locally without copying the public half to the server. SSH agent issues are another frequent source: if the agent is not running or the key is not loaded into it, the client has no key to offer. GitHub and GitLab SSH access adds another dimension—these services match your key against your account, and if the key is associated with a different account or was removed from your settings, authentication fails even though the key pair is technically valid.
Quick Diagnostic Checklist
- Check private key permissions: ls -la ~/.ssh/id_* (should be 600 or 400)
- Verify .ssh directory permissions: ls -la ~ | grep .ssh (should be 700)
- Test with verbose output: ssh -vvv user@host to see which keys are tried
- Confirm your public key is in ~/.ssh/authorized_keys on the server
- Check if ssh-agent is running and the key is loaded: ssh-add -l
- For GitHub: run ssh -T git@github.com to test your key
Full SSH key troubleshooting sequence
# Error:
# Permission denied (publickey).
# Step 1: Check key file permissions (MOST COMMON FIX)
$ ls -la ~/.ssh/
# -rw-r--r-- 1 user user 3381 id_rsa <-- TOO OPEN! Others can read
# -rw-r--r-- 1 user user 741 id_rsa.pub
$ chmod 600 ~/.ssh/id_rsa # Fix: owner read/write only
$ chmod 644 ~/.ssh/id_rsa.pub # Public key can be world-readable
$ chmod 700 ~/.ssh # Directory: owner only
# Step 2: Verify the key is offered during connection
$ ssh -vvv user@server 2>&1 | grep "Offering"
# debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:...
# If no keys are offered, the agent has no keys loaded
# Step 3: Load key into agent
$ eval $(ssh-agent -s) # Start agent if not running
$ ssh-add ~/.ssh/id_rsa # Load your private key
# Step 4: Copy public key to server (if not already there)
$ ssh-copy-id user@server # Appends key to authorized_keys
# Or manually:
$ cat ~/.ssh/id_rsa.pub | ssh user@server "mkdir -p ~/.ssh && \
chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && \
chmod 600 ~/.ssh/authorized_keys"Edge Cases & Unusual Scenarios
SELinux blocking SSH key access
On RHEL/CentOS with SELinux enabled, even correct file permissions can be blocked if the SELinux context is wrong. Run restorecon -R ~/.ssh on the server to reset the security context to the expected labels.
SSH config specifying wrong key file
If ~/.ssh/config has an IdentityFile directive pointing to a non-existent or wrong key for a specific host, SSH uses that key instead of the default. Check the Host block in your SSH config for the target server.
Ed25519 key on old SSH server
Ed25519 keys are not supported by OpenSSH versions before 6.5. If the server runs an older version, your ed25519 key will be silently ignored and authentication fails. Generate an RSA key as a fallback.
Optional follow-up
Some users ask whether saving fixes for recurring errors would be useful when the same issue appears again.
Was this explanation helpful?
Frequently Asked Questions
What permissions for .ssh?
.ssh should be 700, keys 600, authorized_keys 644.
How do I add my key?
Use ssh-copy-id user@host or manually append to authorized_keys.
Why does SSH care about file permissions?
If your private key is readable by other users on the system, anyone with access to the machine could impersonate you. SSH refuses to use keys with overly permissive access as a security measure to prevent this.
How do I use different SSH keys for different servers?
Create a ~/.ssh/config file with Host blocks. For each host, set IdentityFile to the specific key: Host github.com → IdentityFile ~/.ssh/github_key. SSH will automatically use the right key for each connection.
What if I lost my private key but still have server access?
Generate a new key pair with ssh-keygen, then add the new public key to ~/.ssh/authorized_keys on the server using your existing access method (console, another key, password if enabled). Remove the old public key from authorized_keys.
Related Resources
Also Known As
- Linux error
- Unix error
- Terminal error
- Shell error
- Command line error
Common Search Variations
- "linux terminal error"
- "permission denied linux fix"
- "command not found linux"
- "linux shell error solution"
- "ubuntu error how to fix"
- "linux process crashed"
Related Errors
Still Stuck?
Paste a different error message or upload a screenshot to get help instantly.