SSH fails with "Permission denied (publickey,keyboard-interactive)" when the server rejects both your public key and the interactive fallback. Usually missing/unauthorized keys, wrong permissions, or sshd config.
This error occurs when SSH tries public key authentication (the most secure method), the server rejects it, and then offers keyboard-interactive authentication (prompting for a password or challenge) as a fallback, which also fails. The methods listed in the parentheses are the ones the server was still willing to try when the connection was finally refused. Public key is the primary mechanism, and keyboard-interactive is a secondary fallback typically backed by PAM. If neither succeeds, the server closes the connection. The error is reported by the SSH client but the decision to reject is made by the server (sshd), so the root cause is almost always something about which keys you presented, their permissions on either side, or how sshd is configured.
Before changing anything, run SSH in verbose mode to see exactly which keys are offered and where the server rejects them:
ssh -vvv username@remote-hostKey lines to look for:
- Offering public key: / Will attempt key: — which keys the client is trying
- Authentications that can continue: publickey,keyboard-interactive — the methods the server still accepts
- Permission denied (publickey,keyboard-interactive). — the final rejection
If your key is never offered, the problem is client-side (missing key, agent, or IdentitiesOnly). If it is offered but rejected, the problem is server-side (authorized_keys content or permissions). This tells you which of the steps below to focus on.
Check that you have an SSH key pair on your local machine:
ls -la ~/.ssh/You should see a private key and matching public key, e.g. id_ed25519 / id_ed25519.pub or id_rsa / id_rsa.pub. If you have none, generate a key (Ed25519 is preferred on modern systems):
ssh-keygen -t ed25519 -C "[email protected]"For maximum compatibility with very old servers, use RSA with a strong size:
ssh-keygen -t rsa -b 4096 -C "[email protected]"Use a passphrase when prompted; it protects the key at rest and can be cached by your agent so you are not prompted every time.
OpenSSH refuses to use a private key whose permissions are too open. Tighten them:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub(Use the actual key filenames you found above.) Verify:
ls -la ~/.ssh/Expected:
- drwx------ (700) for the ~/.ssh directory
- -rw------- (600) for the private key
- -rw-r--r-- (644) for the .pub file
Your public key must be listed in ~/.ssh/authorized_keys on the server for the account you are logging into. The simplest way (when you can still authenticate by another method, e.g. password) is:
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@remote-hostIf ssh-copy-id is unavailable, append the key manually. Note that ssh-copy-id and this command also create ~/.ssh and authorized_keys with correct permissions if missing:
ssh username@remote-host "umask 077; mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" < ~/.ssh/id_ed25519.pubReplace username and remote-host accordingly.
Log into the server (using any method that works) and ensure the SSH directory and authorized_keys are not too open. sshd's StrictModes will silently ignore authorized_keys if these are group- or world-writable:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keysThe home directory itself must also not be group- or world-writable. Check it and tighten only if needed:
ls -ld ~
# if it is group/other writable, remove that write bit:
chmod go-w ~Verify the results:
ls -la ~/.ssh/The ~/.ssh directory should be 700 and authorized_keys should be 600, owned by your user. Incorrect permissions here are one of the most common causes of this error.
On the server, confirm the exact key you are using is present:
cat ~/.ssh/authorized_keysEach entry is a single long line starting with the key type (ssh-ed25519, ssh-rsa, ecdsa-sha2-...). A frequent mistake is a public key split across multiple lines by a copy/paste — each key must be exactly one line.
To confirm the key on the server matches your local key, compare fingerprints. On your client:
ssh-keygen -lf ~/.ssh/id_ed25519.pubOn the server, run ssh-keygen -lf against the authorized_keys file; it prints one fingerprint per line, one for each authorized key:
ssh-keygen -lf ~/.ssh/authorized_keysYour client's fingerprint should appear in that list.
If you have many keys, SSH may exhaust the server's MaxAuthTries by offering the wrong keys before reaching the correct one, producing this error even though a valid key exists. Force SSH to use only the key you specify:
ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 username@remote-hostMake it permanent in ~/.ssh/config:
Host myserver
HostName remote-host
User username
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yesThen connect with ssh myserver. IdentitiesOnly yes stops the client and agent from blindly offering every key.
If your key is never offered in the -vvv output, your agent may not have it loaded. Start the agent and list loaded keys:
eval "$(ssh-agent -s)"
ssh-add -lIf the key is missing, add it (you will be prompted for the passphrase if it has one):
ssh-add ~/.ssh/id_ed25519On macOS, store the passphrase in the keychain so it loads automatically:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519If permissions and authorized_keys are correct but key auth is still rejected for everyone, inspect the server's sshd config. Edit /etc/ssh/sshd_config (and any drop-ins under /etc/ssh/sshd_config.d/):
sudo nano /etc/ssh/sshd_configEnsure these are present and not commented out:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
KbdInteractiveAuthentication yesOn older OpenSSH releases the keyboard-interactive directive is named ChallengeResponseAuthentication yes. Validate the config before applying it so a typo cannot lock you out:
sudo sshd -tIf it reports no errors, reload sshd (keep your current session open until you confirm a new login works):
sudo systemctl reload sshdOn systems without systemd:
sudo service ssh reloadCheck the server auth logs. The server logs the real reason for the rejection, which the client cannot see. On the server: sudo tail -f /var/log/auth.log (Debian/Ubuntu) or sudo tail -f /var/log/secure (RHEL/CentOS/Fedora). Look for messages like "Authentication refused: bad ownership or modes" (a permissions/StrictModes problem) or "no matching key exchange/host key" (an algorithm mismatch, a different error class).
Legacy RSA (ssh-rsa) signatures. OpenSSH 8.8+ disables the old ssh-rsa (SHA-1) signature algorithm by default. An old RSA key can fail against a new server (or vice versa). The correct fix is to generate an Ed25519 key. As a temporary, scoped workaround you can re-enable it for one host with ssh -o PubkeyAcceptedAlgorithms=+ssh-rsa ..., but migrate the key rather than leaving this enabled.
SELinux / AppArmor. On enforcing systems these can block reading authorized_keys. Prefer restoring the correct SELinux context with restorecon -Rv ~/.ssh over disabling enforcement.
Restricted accounts. SFTP-only or chrooted accounts (via a Match block or a forced command) can present as auth failures or immediate disconnects. Check sshd_config for Match, ForceCommand, and ChrootDirectory.
SSH port. Confirm you are connecting to the correct port: ssh -p PORT username@host if sshd does not listen on 22.
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation
How to fix "sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation" in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
No more authentication methods to try.
How to fix "No more authentication methods to try." in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH