Fix “SCP Permission Denied (publickey)” Error: SSH Key Authentication Troubleshooting Guide for Linux Servers


2 views

When attempting to transfer files between Linux servers using SCP, you might encounter the frustrating "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)" error. This typically indicates SSH key authentication failures, even when you've properly set up key pairs.

# Example of the error you might see:
scp /path/to/file user@remote:/target/directory/
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

First, verify these critical configuration points on both servers:

# Check SSH daemon configuration
sudo cat /etc/ssh/sshd_config | grep -i "PubkeyAuthentication"
sudo cat /etc/ssh/sshd_config | grep -i "PasswordAuthentication"

# Proper permissions for .ssh directory and files
ls -la ~/.ssh/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_rsa

Use verbose mode to get detailed connection information:

ssh -vvv user@remote_server

This will show exactly where the authentication process fails. Look for lines containing "Offering public key" or "Server accepts key".

Proper key generation and deployment steps:

# Generate new key pair (on client machine)
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

# Copy public key to remote server (alternative to manual copy)
ssh-copy-id -i ~/.ssh/id_rsa.pub user@remote_server

# If ssh-copy-id isn't available, manual method:
cat ~/.ssh/id_rsa.pub | ssh user@remote_server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Sometimes the issue lies in server-side SSH configuration. Check these parameters:

# /etc/ssh/sshd_config should contain:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no  # For security, but can be temporarily set to yes for testing

If your serverA is CentOS, SELinux might be blocking access:

# Check SELinux status
sestatus

# Temporarily set to permissive mode for testing
sudo setenforce 0

# Permanently change (if confirmed as the issue)
sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config

If you need immediate file transfer while troubleshooting:

# Using rsync with SSH (might provide better debugging)
rsync -avz -e ssh /path/to/file user@remote:/target/directory/

# Using SFTP (interactive mode)
sftp user@remote_server
put /local/path /remote/path

After making changes, always:

# Restart SSH service
sudo systemctl restart sshd

# Test connection
ssh -T user@remote_server

Remember that changes to sshd_config require service restart, while permission changes take effect immediately.

When attempting to transfer files between Linux servers using SCP (Secure Copy Protocol), you might encounter the frustrating error:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
lost connection

This occurs when the SSH server (in this case, serverB at 111.111.111.111) rejects your public key authentication attempt. Let's dive into why this happens and how to properly configure key-based authentication between CentOS and Ubuntu servers.

The error message reveals the server's preferred authentication methods (publickey, gssapi-keyex, gssapi-with-mic) in order of preference. Our focus should be on the publickey method since that's what we're trying to use.

Common misconfigurations include:

# Wrong permissions on .ssh directory or authorized_keys
ls -la /root/.ssh/

Proper permissions should be:

chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

On serverA (CentOS), generate a new key pair without passphrase:

ssh-keygen -t rsa -b 4096 -f /root/.ssh/serverA_to_serverB -N ""

Copy the public key to serverB (Ubuntu):

ssh-copy-id -i /root/.ssh/serverA_to_serverB.pub root@111.111.111.111

If ssh-copy-id fails, manually append the public key:

cat /root/.ssh/serverA_to_serverB.pub | ssh root@111.111.111.111 "mkdir -p /root/.ssh && cat >> /root/.ssh/authorized_keys"

On serverB (Ubuntu), verify these settings in /etc/ssh/sshd_config:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no

After modifying, restart SSH:

systemctl restart sshd

Verify authentication works before attempting SCP:

ssh -v -i /root/.ssh/serverA_to_serverB root@111.111.111.111

Successful authentication should display:

Authenticated to 111.111.111.111 ([111.111.111.111]:22) using "publickey".

With everything properly configured, your SCP command should work:

scp -i /root/.ssh/serverA_to_serverB /root/test.txt root@111.111.111.111:/home/somefolder/

On CentOS (serverA), SELinux might interfere. Check and adjust contexts:

ls -Z /root/.ssh/
restorecon -Rv /root/.ssh

If issues persist, consider these alternatives:

# Use rsync over SSH
rsync -avz -e "ssh -i /root/.ssh/serverA_to_serverB" /root/test.txt root@111.111.111.111:/home/somefolder/

# Temporary enable password authentication (for testing only)
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no root@111.111.111.111

Remember to disable password authentication after testing for security reasons.