🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Debian 11

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Administrators cannot authenticate with keys, resulting in emergency console dependence and delayed incident response.

Environment & Reproduction

Usually follows home directory migration, permission drift, or strict sshd policy hardening updates.

Root Cause Analysis

OpenSSH rejects key-based auth when ownership, permissions, or algorithm policy do not satisfy server requirements.

Quick Triage

Run ssh -vvv user@host and check server logs for explicit key rejection reasons before changing auth methods.

Step-by-Step Diagnosis

Validate chmod 700 ~/.ssh, chmod 600 ~/.ssh/authorized_keys, and inspect /var/log/auth.log for “Authentication refused” lines.

Illustrative mockup for debian-11 β€” terminal_or_shell
SSH verbose client output for key negotiation failures β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Correct file ownership, ensure PubkeyAuthentication yes, reload sshd, and test login with one controlled key pair.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Illustrative mockup for debian-11 β€” log_or_config
sshd_config and authorized_keys permission corrections β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Temporarily allow password auth in restricted maintenance window while keys are reissued and policy updated.

Verification & Acceptance Criteria

Key login must succeed without password prompt and audit logs should show accepted publickey entries.

Rollback Plan

Restore prior sshd_config and known working authorized_keys snapshots if policy change unexpectedly blocks users.

Prevention & Hardening

Use config management for permissions, rotate keys regularly, and monitor failed-auth spikes in SIEM.

Frequent strings include “Permission denied (publickey)” and “Authentication refused: bad ownership”.

Related tutorial: View the step-by-step tutorial for debian-11.

View all debian-11 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Review sshd_config manual pages and Debian OpenSSH hardening guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.