[SOLVED] Permission denied (publickey,password)

[akamatch14]

Hello,

When I try to migrate a VM back to my node pve2 from pve3, I get this error message. I’ve tried everything to fix it.

task started by HA resource agent
2025-09-08 13:33:14 # /usr/bin/ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=pve2' -o 'UserKnownHostsFile=/etc/pve/nodes/pve2/ssh_known_hosts' -o 'GlobalKnownHostsFile=none' root@192.168.4.231 /bin/true
2025-09-08 13:33:14 root@192.168.4.231: Permission denied (publickey,password).
2025-09-08 13:33:14 ERROR: migration aborted (duration 00:00:04): Can't connect to destination address using public key
TASK ERROR: migration aborted

 

[bbgeek17]

Hi @akamatch14,
Can you clarify what "everything" is? Have you tried :
pvecm updatecert -f

Until you have fixed the authentication, your migration will continue to fail.

Have you done anything recently that changed your configuration? For example, replaced a node? Presumably this has worked before as you need good SSH authentication to create a cluster.

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[akamatch14]

Hi @bbgeek17

We have tried pvecm updatecert -f and we have tried ssh-copy-id.
We have not made any configuration changes.

 

[akamatch14]

root@pve3:~# pvecm updatecert -f
(re)generate node files
generate new node certificate
merge authorized SSH keys
root@pve3:~# ssh root@pve2
root@pve2's password:

 

[bbgeek17]

Run that command manually from the shell, does it work?
Examine /etc/pve/nodes/pve2/ssh_known_hosts , is it the same or different from pve1?
Run: ssh -vvv root@pve2
Look for : Offering public key:
Do any of the public keys match what is in authorized_keys on the other side?
Tail journal on target side: journalctl -f|egrep "publickey" - is anything being logged when you ssh with long/short commands? Do fingerprints match?

What has changed since the time it worked? Or has this never worked?

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[akamatch14]

debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:NavfWPxOY5/PvKEGTZaSCf+2gEmEmtKt3N2SWpVBkTo
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:NavfWPxOY5/PvKEGTZaSCf+2gEmEmtKt3N2SWpVBkTo
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:NavfWPxOY5/PvKEGTZaSCf+2gEmEmtKt3N2SWpVBkTo
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:NavfWPxOY5/PvKEGTZaSCf+2gEmEmtKt3N2SWpVBkTo
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa_sk
debug3: no such identity: /root/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519_sk
debug3: no such identity: /root/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /root/.ssh/id_xmss
debug3: no such identity: /root/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method

 

[akamatch14]

Yes, the keys match.

 

[akamatch14]

journalctl -f|egrep "publickey"

there are no logs for this command. I do not think it has ever worked ughh

 

[bbgeek17]

As I mentioned, this:

root@pve3:~# ssh root@pve2
root@pve2's password:

is not the same as:

2025-09-08 13:33:14 # /usr/bin/ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=pve2' -o 'UserKnownHostsFile=/etc/pve/nodes/pve2/ssh_known_hosts' -o 'GlobalKnownHostsFile=none' root@192.168.4.231 /bin/true

The commands use different key locations and keys. You should be able to make ssh root@pve2 work by following the standard SSH key exchange steps. Can you figure out why it isn’t working?

I know quite a few people have run into SSH key issues with the your symptoms. However, the root cause can vary widely, even though the error message looks identical. Personally, I’ve never encountered this problem, cluster cross-SSH has always worked for us.

My advice: get basic SSH working for root across all hosts. You may discover something interesting in the process.

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[akamatch14]

Thanks for you help

After spending hours troubleshooting, I finally discovered the issue, Bitdefender was the culprit. It was interfering with the SSH connection. I’m honestly kicking myself for not checking that first. I feel like I failed at being an IT tech, it should’ve been the first thing I looked into.

 

[bbgeek17]

Thank you for coming back with a solution! It is extremely valuable for those that come after you.

Cheers!

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox