How to Fix "SSH Failed Permission Denied (publickey, gssapi-keyex, gssapi-with-mic)"?


Secure Shell (SSH) is a network protocol that allows secure communication between two remote computers. It is widely used for system administration, file transfer, and other secure network services.

SSH provides a secure channel over an unsecured network by encrypting the data being transmitted, which makes it virtually impossible for anyone to intercept or modify the data. In today's digital age where cyber-attacks are common occurrences, especially on unsecured networks like public Wi-Fi, it is crucial to protect sensitive information from unauthorized access.

This is where SSH comes into play as it provides an extra layer of security by encrypting data during transmission. With SSH, users can remotely access their servers and devices without worrying about their data being compromised.

Overview of SSH Permission Denied Errors

While SSH provides robust security protocols for remote connections, errors can occur when trying to establish a connection between two computers using this protocol. One of the most common errors encountered when using SSH is the "Permission denied" error message.

This error message indicates that the user does not have the necessary permissions or authentication credentials to access the target device. There are several reasons why this error may occur with different variations such as publickey permission denied, gssapi-keyex permission denied or gssapi-with-mic permission denied errors.

Understanding SSH Permission Denied Errors

Common SSH Permission Denied Errors

SSH (Secure Shell) is a vital tool when it comes to secure communication with remote servers. However, it can sometimes present errors that may cause frustration for users.

One of the most common types of errors that SSH throws is the "Permission Denied" error. The three most common variants of this error are "publickey", "gssapi-keyex", and "gssapi-with-mic".

Causes for Each Error Type and How They Affect SSH Access

The "publickey" error occurs when an authentication method, specifically, public key authentication, is used but fails to verify the client's authenticity. Public key authentication requires both the client and server to have a public and private key pair.

If they don't match, you may get this type of error message. On the other hand, the "gssapi-keyex" error occurs when a user tries to connect using GSSAPI authentication but fails due to incompatibility issues with the local Kerberos setup or with how GSSAPI is configured on the server-side.

The "gssapi-with-mic" error usually comes up when there are issues with mutual identification between client and server using Kerberos-based encryption. This problem usually arises if you have not set up your Kerberos configuration correctly or if your setup has compatibility issues.

These errors can cause significant problems for users who rely on SSH for remote access or file transfer functionality. Understanding what each of these errors means and their underlying causes will help users troubleshoot more effectively when they encounter them in their work processes.

Troubleshooting SSH Permission Denied Errors

Step-by-step guide to troubleshoot publickey error

If you are receiving a "Permission Denied (publickey)" error message when attempting to connect to an SSH server, there are several steps you can take to troubleshoot the issue. First, check the permissions and ownership of your SSH key files. The private key file should have 600 permissions and be owned by the user who is attempting to connect.

The public key file should have 644 permissions and be owned by the same user or root. Next, make sure that your public key is correctly configured in the authorized_keys file on the server you are trying to connect to.

You can do this by copying the contents of your local ~/.ssh/ file into a new line in the remote ~/.ssh/authorized_keys file. If neither of these steps solves the issue, try generating a new SSH key pair and adding it to your authorized_keys file.

To do this, run "ssh-keygen" in your local terminal window and follow the prompts. Then copy your new public key (found in ~/.ssh/ into a new line in your remote authorized_keys file.

Step-by-step guide to troubleshoot gssapi-keyex and gssapi-with-mic errors

If you are receiving a "Permission Denied (gssapi-keyex)" or "Permission Denied (gssapi-with-mic)" error message when attempting an SSH connection, there may be issues with Kerberos authentication. To troubleshoot these errors, first check that Kerberos authentication is properly configured on both client and server sides. Check that both machines have similar Kerberos configurations by running "krb5-config" command on each machine.

If everything appears correct with Kerberos configuration but you still cannot connect via SSH using these methods, it may be necessary to disable GSSAPI authentication. This can be done by adding the following line to your /etc/ssh/ssh_config or ~/.ssh/config file: "GSSAPIAuthentication no".

This will force SSH to use other authentication methods, such as publickey or password-based authentication. By following these steps and troubleshooting common permission denied errors in SSH, you can ensure secure and reliable communication with remote servers.

Advanced Fixes for Persistent Issues

Using ssh-agent to manage keys

SSH-agent is a program that allows you to manage your SSH keys securely. It runs as a background process and stores your private key passphrase in memory. The advantage of using ssh-agent is that you only have to enter your passphrase once per session, rather than every time you connect to the remote server.

To use ssh-agent, first start the agent process by running the following command in your terminal −

eval "$(ssh-agent -s)" 

Next, add your private key to the agent by running:

ssh-add ~/.ssh/id_rsa 

If your private key has a different name or path, modify the command accordingly. Once added, you can verify that the key is loaded into the agent by running `ssh-add -l`.

Configuring sshd_config file for better security

The `sshd_config` file is the main configuration file for OpenSSH daemon. By modifying this file, you can change various options related to SSH server behavior and security.

Here are some suggested changes that can improve SSH security −

  • Changing default port − By changing the default port (22) used by SSH, it becomes harder for attackers to find and target your server.

    However, this should not be relied upon as a sole means of protection.

  • Disabling root login − It's generally considered good practice to disable root login via SSH.

    This prevents attackers from using brute-force attacks on common username/password combinations.

  • Enabling two-factor authentication − Two-factor authentication (2FA) adds an extra layer of security on top of username/password authentication.

    This requires users entering both their password and an additional code generated by a separate device (such as their smartphone).

  • Limiting access with firewall rules − In addition to configuring `sshd_config`, it's a good idea to limit access to your SSH server with firewall rules that only allow connections from trusted IP addresses.

By implementing these security measures, you can significantly reduce the risk of unauthorized access via SSH. However, it's important to keep in mind that no security measure is foolproof and regular monitoring and updates are necessary to maintain a secure system.


In today's world, where online threats and attacks are rampant, it is essential to secure communication channels. SSH ensures secure communication between systems by encrypting data and verifying identities. It provides an extra layer of protection against unauthorized access and eavesdropping.

Any organization that values security should make sure that SSH access is only available to authorized personnel. However, even the best security measures can sometimes fail, resulting in SSH permission denied errors.

The good news is that these errors can be easily fixed with troubleshooting steps and advanced fixes. The sections above provide a step-by-step guide to troubleshoot publickey, gssapi-keyex, and gssapi-with-mic errors, as well as advanced fixes for persistent issues.

Updated on: 05-Jun-2023

9K+ Views

Kickstart Your Career

Get certified by completing the course

Get Started