The SSH "Access denied" error occurs when the SSH server rejects your authentication attempt. This is usually due to incorrect credentials, misconfigured keys, disabled authentication methods, or account/group restrictions on the server.
SSH "Access denied" is a generic authentication failure message that appears after the SSH client successfully connects to the server but fails during the authentication phase. The server's SSH daemon (sshd) has evaluated your provided credentials—whether public key, password, or other method—and determined they don't match any accepted authentication method or the user account is restricted. This differs from connection errors (like "Connection refused") because the server is reachable; it simply won't grant access.
First, double-check your SSH command syntax. The most common cause is using the wrong username.
ssh username@hostname
# or with explicit port
ssh -p 22 username@hostnameIf unsure of the correct username, ask your system administrator. Common default usernames:
- Linux/Ubuntu: ubuntu, admin, root
- Amazon Linux: ec2-user
- CentOS/RHEL: centos, root
- Debian: debian
- macOS: your local username
Enable verbose output to see which authentication methods are being attempted and where the failure occurs:
ssh -vvv username@hostnameLook for lines like:
- debug1: Offering public key - Client is trying public key auth
- debug1: Authentications that can continue: publickey,password - Server's accepted methods
- Permission denied (publickey) - Server rejected that method
This reveals exactly which authentication method is failing.
If you don't have an SSH key set up, try password authentication directly. First, ensure the server allows passwords by checking sshd_config on the server:
# On the remote server
sudo grep PasswordAuthentication /etc/ssh/sshd_configIf it shows PasswordAuthentication no, enable it:
# On the remote server
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
sudo systemctl restart ssh # or 'service sshd restart'Then retry from your client:
ssh username@hostname
# Enter password when promptedIf using public key authentication, the authorized_keys file and parent directory must have correct permissions:
# On the remote server, as the user trying to log in
ls -la ~/.ssh/authorized_keys
ls -la ~/.ssh/
ls -la ~/Expected output:
- authorized_keys should be: -rw------- 1 username username (600)
- .ssh directory should be: drwx------ 2 username username (700)
- home directory should be: drwxr-xr-x 2 username username (755, NOT 777)
Fix permissions if needed:
# On the remote server
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 755 ~/ # if home directory is too permissiveIf using public key auth, your public key must exist on the server:
# On your local machine, display your public key
cat ~/.ssh/id_rsa.pub
# or for ED25519 keys
cat ~/.ssh/id_ed25519.pub# On the remote server, check if it's in authorized_keys
cat ~/.ssh/authorized_keysCompare the output. If your public key isn't there, add it:
# Option 1: Use ssh-copy-id (easiest, if password auth works)
ssh-copy-id -i ~/.ssh/id_rsa.pub username@hostname
# Option 2: Manually append the key (if you have access another way)
echo "your_public_key_content" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keysThe server's SSH configuration may explicitly allow or deny your user. Check on the remote server:
sudo grep -E 'AllowUsers|DenyUsers|AllowGroups|DenyGroups' /etc/ssh/sshd_configIf you see:
- AllowUsers alice bob - Only alice and bob can log in. Add yourself.
- DenyUsers hacker - These users are explicitly blocked.
To fix, edit the config:
sudo vi /etc/ssh/sshd_configAdd or modify lines:
AllowUsers alice bob yourUsername
# or
DenyUsers hackerThen restart SSH:
sudo systemctl restart ssh
# or on some systems:
sudo service sshd restartThe user account might be locked or disabled:
# On the remote server, check account status
sudo passwd -S usernameIf the account is locked (status shows 'L'), unlock it:
sudo passwd -u usernameAlso verify the user's shell is valid:
# Should show /bin/bash or /bin/sh, not /usr/sbin/nologin
grep username /etc/passwdIf it shows nologin, change the shell:
sudo usermod -s /bin/bash usernameIf public key authentication is failing, explicitly request password-based auth:
ssh -o PubkeyAuthentication=no username@hostname
# This forces password auth onlyIf this works, it means:
- Your key isn't the problem
- Password auth is available
- Check the authorized_keys file again
Alternatively, if password fails but key works, ensure password auth is enabled on the server (see Step 3).
SELinux and AppArmor: On servers with SELinux or AppArmor enabled, even correct credentials can be rejected. Check enforcement status:
sudo getenforce # For SELinux
sudo aa-status # For AppArmorIf either is enforcing, SSH might be blocked. Check logs:
sudo tail /var/log/auth.log # Debian/Ubuntu
sudo tail /var/log/secure # CentOS/RHELGroup-based access: If using group-based restrictions (AllowGroups, DenyGroups), ensure your user is in the correct group:
groups usernameAdd user to group if needed:
sudo usermod -aG groupname usernamePAM (Pluggable Authentication Modules): Some systems use PAM for authentication. If sshd_config looks correct but you still can't access, check PAM configuration:
sudo grep -r session /etc/pam.d/sshdMultiple keys: If you have multiple private keys on your system, SSH tries them in order. If a key with too many failed attempts is tried first, the server may reject all subsequent authentication attempts. Use:
ssh -i /path/to/correct/key username@hostnameto explicitly specify which key to use.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH