Sftp Failed to connect: Permission denied (publickey)

Hello everyone,

I’m facing a perplexing issue while trying to establish an SFTP connection to my backup server and could really use your insights. Every attempt results in a “Failed to connect: Permission denied (publickey)” error. Here’s the detailed console output for reference:

duplicati-duplicati-1  | Renci.SshNet.Common.SshAuthenticationException: Permission denied (publickey).
duplicati-duplicati-1  |   at Renci.SshNet.ClientAuthentication.Authenticate (Renci.SshNet.IConnectionInfoInternal connectionInfo, Renci.SshNet.ISession session) [0x0007e] in <969f1a9d1df4435bb9f5c99415b06766>:0
duplicati-duplicati-1  |   at Renci.SshNet.ConnectionInfo.Authenticate (Renci.SshNet.ISession session, Renci.SshNet.IServiceFactory serviceFactory) [0x0001b] in <969f1a9d1df4435bb9f5c99415b06766>:0
duplicati-duplicati-1  |   at Renci.SshNet.Session.Connect () [0x001e9] in <969f1a9d1df4435bb9f5c99415b06766>:0
duplicati-duplicati-1  |   at Renci.SshNet.BaseClient.CreateAndConnectSession () [0x00053] in <969f1a9d1df4435bb9f5c99415b06766>:0
duplicati-duplicati-1  |   at Renci.SshNet.BaseClient.Connect () [0x0001f] in <969f1a9d1df4435bb9f5c99415b06766>:0
duplicati-duplicati-1  |   at Duplicati.Library.Backend.SSHv2.TryConnect (Renci.SshNet.SftpClient client) [0x0007b] in <b63dbdcd6b674560b8dea334a9cb2e39>:0
duplicati-duplicati-1  |   at Duplicati.Library.Backend.SSHv2.CreateConnection () [0x0010e] in <b63dbdcd6b674560b8dea334a9cb2e39>:0
duplicati-duplicati-1  |   at Duplicati.Library.Backend.SSHv2+<List>d__42.MoveNext () [0x0002c] in <b63dbdcd6b674560b8dea334a9cb2e39>:0
duplicati-duplicati-1  |   at Duplicati.Library.Interface.BackendExtensions.TestList (Duplicati.Library.Interface.IBackend backend) [0x00017] in <9385304baed84a39b0ffc49ae589b75e>:0
duplicati-duplicati-1  |   at Duplicati.Library.Backend.SSHv2.Test () [0x00000] in <b63dbdcd6b674560b8dea334a9cb2e39>:0
duplicati-duplicati-1  |   at Duplicati.Server.WebServer.RESTMethods.RemoteOperation.TestConnection (System.String url, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x000b7] in <30a34d71126b48248d040dda634ddad9>:0
duplicati-duplicati-1  |   at Duplicati.Server.WebServer.RESTMethods.RemoteOperation.POST (System.String key, Duplicati.Server.WebServer.RESTMethods.RequestInfo info) [0x00091] in <30a34d71126b48248d040dda634ddad9>:0
duplicati-duplicati-1  |   at Duplicati.Server.WebServer.RESTHandler.DoProcess (Duplicati.Server.WebServer.RESTMethods.RequestInfo info, System.String method, System.String module, System.String key) [0x00289] in <30a34d71126b48248d040dda634ddad9>:0

I’m currently using the latest Docker image of Duplicati, available at: Docker

To set things up, I’ve mounted my .config directory to /config within the container. Following that, I generated a new RSA key pair (id_rsa and id_rsa.pub) using ssh-keygen -m PEM -t rsa -b 4096, placing the files in ./config/keys/. The public key (id_rsa.pub) has been added to the server.

Connecting directly via SSH using ssh -i <path_to_that_file> user@myip works without any issues. Furthermore, when configuring the SFTP connection in Duplicati’s advanced settings, it prompts correctly for the passphrase when needed, indicating it’s reading the key file correctly. Yet, I still end up facing a “Permission denied” error.

I’m at my wit’s end trying to figure out why this is happening. Has anyone encountered a similar issue or have any suggestions on what might be going wrong?

Appreciate any help you can provide!

Uh ? How can it be possible ? there is no code to prompt for a ssh passphrase in Duplicati. The normal password is used and it disables password authentication (obviously). This is working fine with current Duplicati (without Docker - I don’t use it).

Try to remove the passphrase on the key file to see if it’s linked to this passphrase reading or not.

Support OpenSSH 8.8 #4615 has this stack in Duplicati issues and links to a fixed SSH.NET issue.

Results of relevant openssl version and ssh -V might tell us if this version incompatibility exists.

If that is this problem, a new Duplicati would be needed to pick up the SSH.NET that has their fixes.

So a LinuxServer image, not a Duplicati. Chances are low that you’ll get one from the Duplicati team.
Occasionally the Duplicati developers will do private test builds, but they’re usually not Dockers at all.