SSH Authentication Failure: Public Key Presence in Working Directory Causes Permission Denied


13 views

When troubleshooting SSH authentication issues, we often focus on common problems like incorrect permissions (~/.ssh/ should be 700, keys should be 600) or mismatched key pairs. However, there exists a lesser-known scenario where simply having both public and private keys in the same working directory can cause authentication failures.

In the reported case, connecting with:

ssh -vT -i ./id_rsa user@remotehost

fails when id_rsa.pub exists in the same directory, but succeeds when the public key is renamed or moved elsewhere. The debug output shows a clear difference in behavior:

Looking at the debug output differences:

  • With id_rsa.pub present: 
    debug1: Offering RSA public key: ./id_rsa
debug1: Authentications that can continue: publickey
  • With id_rsa.pub absent: 
    debug1: Trying private key: ./id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey)

This behavior stems from OpenSSH's key discovery mechanism. When a public key exists alongside the private key:

  1. SSH client attempts to use the key pair together
  2. The authentication protocol may get confused about which key to present
  3. The server might reject the authentication attempt due to mismatched expectations

Here are three ways to handle this situation:

Option 1: Move the Public Key

mv id_rsa.pub ~/.ssh/

Option 2: Specify Key Explicitly

ssh -o IdentitiesOnly=yes -i ./id_rsa user@remotehost

Option 3: Temporary Rename

mv id_rsa.pub id_rsa.pub.bak
ssh -i ./id_rsa user@remotehost
mv id_rsa.pub.bak id_rsa.pub
  • Store SSH keys in ~/.ssh/ directory
  • Set proper permissions (600 for keys, 700 for directory)
  • Use ssh-agent for key management
  • When debugging, always check verbose output (-v flag)

For frequent connections, add this to ~/.ssh/config:

Host remotehost
    HostName remotehost.example.com
    User user
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes

During SSH authentication, having both private (id_rsa) and public (id_rsa.pub) keys in the same working directory can trigger unexpected behavior. The debug output reveals a critical difference:

// Problem scenario:
debug1: Offering RSA public key: ./id_rsa
debug1: Authentications that can continue: publickey

// Working scenario:
debug1: Trying private key: ./id_rsa
debug1: read PEM private key done: type RSA

The SSH client (OpenSSH 6.1) exhibits different behavior based on file presence:

  • When both keys exist: Client attempts to offer the key as a public key first
  • When only private key exists: Proper private key authentication flow initiates

Here are three verified solutions:

# Solution 1: Move public key away
mv ./id_rsa.pub ~/.ssh/tmp.pub

# Solution 2: Specify key type explicitly
ssh -o PubkeyAcceptedKeyTypes=rsa-sha2-256 -i ./id_rsa user@host

# Solution 3: Use absolute path
ssh -i /full/path/to/id_rsa user@host

The behavior stems from OpenSSH's key discovery algorithm:

  1. Client checks for possible keys in working directory
  2. When public key exists, tries to use it first (even when -i specifies private key)
  3. This interrupts the normal private key authentication flow

For stable SSH configurations:

# Best practice directory structure
~/.ssh/
├── config
├── id_rsa          # Private key (chmod 600)
└── authorized_keys # Public keys

# Sample ~/.ssh/config entry
Host myserver
    HostName remote.example.com
    User deploy
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes

Additional verification commands:

# Check key fingerprint consistency
ssh-keygen -lf id_rsa.pub
ssh-keygen -lf id_rsa

# Validate key permissions
stat -c "%a %n" id_rsa id_rsa.pub

# Alternative verbose output
ssh -vvvT -i ./id_rsa user@host