The error git@github.com: Permission denied (publickey). fatal: Could not read from remote repository means GitHub rejected your SSH authentication. It’s a common blocker when setting up Git. Here’s how to fix it completely.
📋 Table of Contents
- What This Error Means
- Step 1: Check for Existing SSH Keys
- Step 2: Generate a New SSH Key
- Step 3: Add the Key to the SSH Agent
- Step 4: Add the Public Key to GitHub
- Step 5: Test the Connection
- Common Cause 1: Using HTTPS Remote Instead of SSH
- Common Cause 2: Key Not Loaded in Agent
- Common Cause 3: Wrong Key Permissions
- Debugging with Verbose Output
- Frequently Asked Questions
- Conclusion
What This Error Means
GitHub uses SSH keys to authenticate you for push/pull over SSH. “Permission denied (publickey)” means GitHub couldn’t verify your identity — usually because you have no SSH key, the key isn’t added to your GitHub account, or the SSH agent isn’t using it.
Step 1: Check for Existing SSH Keys
ls -la ~/.ssh
# Look for: id_ed25519.pub or id_rsa.pub
# If you see .pub files, you may already have a key — skip to Step 3
Step 2: Generate a New SSH Key
# Ed25519 is the modern recommended algorithm
ssh-keygen -t ed25519 -C "your_email@example.com"
# Press Enter to accept default location (~/.ssh/id_ed25519)
# Optionally set a passphrase for extra security
# For older systems without Ed25519 support:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Step 3: Add the Key to the SSH Agent
# Start the ssh-agent
eval "$(ssh-agent -s)"
# Agent pid 12345
# Add your key
ssh-add ~/.ssh/id_ed25519
# On macOS, store passphrase in keychain
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
Step 4: Add the Public Key to GitHub
# Copy your PUBLIC key (.pub — never share the private key!)
cat ~/.ssh/id_ed25519.pub
# macOS: copy directly to clipboard
pbcopy < ~/.ssh/id_ed25519.pub
# Linux:
xclip -sel clip < ~/.ssh/id_ed25519.pub
Then in GitHub: Settings, then SSH and GPG keys, then New SSH key. Paste the public key and save.
Step 5: Test the Connection
ssh -T git@github.com
# Success looks like:
# Hi username! You've successfully authenticated,
# but GitHub does not provide shell access.
# The "does not provide shell access" message is NORMAL and means it worked!
Common Cause 1: Using HTTPS Remote Instead of SSH
# Check your remote URL
git remote -v
# origin https://github.com/user/repo.git ← HTTPS, not SSH!
# Switch to SSH
git remote set-url origin git@github.com:user/repo.git
# Verify
git remote -v
# origin git@github.com:user/repo.git (fetch)
Common Cause 2: Key Not Loaded in Agent
# List keys currently in the agent
ssh-add -l
# "The agent has no identities" means no key is loaded
# Add your key
ssh-add ~/.ssh/id_ed25519
# Make it persistent — add to ~/.ssh/config:
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/id_ed25519
AddKeysToAgent yes
UseKeychain yes # macOS only
Common Cause 3: Wrong Key Permissions
# SSH refuses keys with loose permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519 # private key
chmod 644 ~/.ssh/id_ed25519.pub # public key
chmod 600 ~/.ssh/config
Debugging with Verbose Output
# See exactly what SSH is doing
ssh -vT git@github.com
# Look for lines like:
# "Offering public key: ~/.ssh/id_ed25519" ← key is being tried
# "Authentications that can continue: publickey" ← GitHub wants a key
# If your key isn't offered, it's not in the agent or config
Frequently Asked Questions
Q: Should I use Ed25519 or RSA?
A: Ed25519 — it's more secure and faster than RSA. Use RSA (4096-bit) only for older systems that don't support Ed25519.
Q: What's the difference between the .pub file and the other one?
A: id_ed25519.pub is your PUBLIC key — safe to share, add it to GitHub. id_ed25519 (no extension) is your PRIVATE key — never share it, never commit it.
Q: It worked before but suddenly fails. Why?
A: The ssh-agent often loses keys after a reboot. Add AddKeysToAgent yes to ~/.ssh/config, or re-run ssh-add. On macOS, UseKeychain yes makes it persistent.
Q: Can I use the same key on multiple machines?
A: You can, but best practice is a separate key per device. That way, if one machine is compromised, you revoke only that key from GitHub without affecting others.
Q: HTTPS or SSH for GitHub?
A: SSH avoids entering credentials repeatedly and is convenient once set up. HTTPS with a personal access token is simpler for one-off use or restricted networks that block SSH.
Conclusion
"Permission denied (publickey)" means GitHub couldn't authenticate your SSH key. The fix sequence: generate a key with ssh-keygen -t ed25519, add it to the agent with ssh-add, add the .pub key to GitHub, and test with ssh -T git@github.com. If it still fails, check that your remote uses SSH (not HTTPS) and that key permissions are correct. The verbose flag ssh -vT reveals exactly where authentication breaks down.
📚 You might also like
🔗 Share this article




✍️ Leave a Comment