git@github.com: Permission denied (publickey)

I am currently setting up my continuous deployment (CD) pipeline and first got it running on a VM (VM-1) on my server. Everything worked fine. Now I want to use it on another VM (VM-2) on the same server. I have manually copied the SSH public and private keys from the server (VM-1) to the server (VM-2). I think it would be better to generate a new key for (VM-2) but I was planning to delete (VM-1) afterwards. However, after I did that, I wanted to clone the repository to (VM-2) initially. But unfortunately I get this error message:

git@github.com: Permission denied (publickey)
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Output: la -la ~/.ssh

drwx------  2 ssh123 root     4096 Mär 29 16:27 .
drwxr-xr-x 20 ssh123 root     4096 Mär 29 16:27 ..
-rwx------  1 ssh123 root      628 Mär 29 11:10 authorized_keys2
-rwx------  1 ssh123 w014b01d  419 Mär 29 16:27 id_server_ed25519
-rwx------  1 ssh123 w014b01d  105 Mär 29 16:26 id_server_ed25519.pub
-rw-r--r--  1 ssh123 w014b01d  666 Mär 29 16:29 known_hosts

Output: ssh -vvv T git@github.com

OpenSSH_8.2p1 Ubuntu-4ubuntu0.11, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "github.com" port 22
debug2: ssh_connect_direct
debug1: Connecting to github.com [1.1.1.4] port 22.
debug1: Connection established.
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: identity file /.ssh/id_ecdsa type -1
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: identity file /.ssh/id_ecdsa_sk type -1
debug1: identity file /.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /.ssh/id_ed25519 type -1
debug1: identity file /.ssh/id_ed25519-cert type -1
debug1: identity file /.ssh/id_ed25519_sk type -1
debug1: identity file /.ssh/id_ed25519_sk-cert type -1
debug1: identity file /.ssh/id_xmss type -1
debug1: identity file /.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11
debug1: Remote protocol version 2.0, remote software version babeld-05989c77
debug1: no match: babeld-05989c77
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to github.com:22 as 'git'
debug3: hostkeys_foreach: reading file "/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from github.com
debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,kex-strict-s-v00@openssh.com
debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: will use strict KEX ordering
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:p2xxxx98/Rxxxx3/Lxxxx
debug3: hostkeys_foreach: reading file "/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from github.com
debug3: hostkeys_foreach: reading file "/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys from 140.82.121.4
debug1: Host 'github.com' is known and matches the ECDSA host key.
debug1: Found key in /.ssh/known_hosts:1
debug3: send packet: type 21
debug1: resetting send seqnr 3
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /.ssh/id_rsa 
debug1: Will attempt key: /.ssh/id_dsa 
debug1: Will attempt key: /.ssh/id_ecdsa 
debug1: Will attempt key: /.ssh/id_ecdsa_sk 
debug1: Will attempt key: /.ssh/id_ed25519 
debug1: Will attempt key: /.ssh/id_ed25519_sk 
debug1: Will attempt key: /.ssh/id_xmss 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug3: no such identity: /.ssh/id_rsa: No such file or directory
debug1: Trying private key: /.ssh/id_dsa
debug3: no such identity: /.ssh/id_dsa: No such file or directory
debug1: Trying private key: /.ssh/id_ecdsa
debug3: no such identity: /.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /.ssh/id_ecdsa_sk
debug3: no such identity: /.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /.ssh/id_ed25519
debug3: no such identity: /.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /.ssh/id_ed25519_sk
debug3: no such identity: /.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /.ssh/id_xmss
debug3: no such identity: /.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).
Asked By: MartinTTS

||

Change the default key names for ssh

By default, ssh clients and servers look for the private keys in format id_<encryption_type>. For example id_ed25519, id_rsa, etc. This is evident from the debug log posted in the question as well. Your private key is named id_server_ed25519. The ssh client can’t find that key as it is looking for a file called id_ed25519.

Try this command:

ssh -vvvvT -i ~/.ssh/id_server_ed25519 git@github.com

Replace the path of the private key file with the correct path if needed.

If this works you have three options.

1. Use the default key names

This approach is the easiest solution. As you can upload your default public key to any remote computer that you want to login using ssh and it will work. This way you will have only one private-public key pair for all remote ssh access, rather than different key pairs for different computers.

Change the names of both the public and private keys:

mv ~/.ssh/id_server_ed25519 ~/.ssh/id_ed25519
mv ~/.ssh/id_server_ed25519.pub ~/.ssh/id_ed25519.pub

2. Change personal config

This approach works best when there are multiple users of the local computer and you don’t want to make a change for everybody. Or if you want to create different public-private key pairs for different ssh servers.

Add a few of lines in your personal ssh client config of VM-2 at ~/.ssh/config. Edit the file using the command:

nano ~/.ssh/config

Add the text:

Host github
     Hostname github.com
     User git
     IdentityFile ~/.ssh/id_server_ed25519
     IdentitiesOnly yes

Note, this config is just for the ssh server at github. this config will allow you can use ssh github.

The last line above IdentitiesOnly yes ensures the ssh client only checks this specific key file, id_server_ed25519. By default it will look for and try to use both id_server_ed25519 and id_ed25519. This can cause issues if you have both files in your computer, for example id_server_ed25519 for github and id_ed25519 for every other ssh servers.

Remember the above configuration is for github only. If you want to use the same key-pair to access another server you will have to add similar text to your personal ssh client config file.
I assume you did something similar for VM-1

Change global config

The global ssh client config file is /etc/ssh/ssh_config. Edit the file:

sudo nano /etc/ssh/ssh_config

Look for the following lines:

#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519

Make the last line look like:

IdentityFile ~/.ssh/id_server_ed25519

This change will affect all users and all ssh connections you make using key based authentication from this computer.

Hope this helps

Answered By: user68186
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.