When you attempt to connect to an SSH server, you might encounter an error message, especially if the configuration of your SSH server differs from the default. In this guide, we discuss the most common error messages and explain how to resolve them.
Permission denied (pubkey, password)
This error message comes in two variants: Permission denied (pubkey) and Permission denied (password). In both cases, authentication with a password is usually possible, but in the pubkey variant, the server actually expects an SSH key to be used.
Although this error message is relatively harmless, it can still be quite challenging to troubleshoot. This error message can have the following possible causes:
An incorrect username or password
The simplest way to check the username and password is to connect to your server via the console in the VPS control panel or the console in Horizon for OpenStack instances. You can then directly test the username and password you are trying to connect with via SSH, or, for example, log in with the root user and then switch to the user with the command:
su <username>Replace <username> with the name of the user. Do you get a message that the password is incorrect? Then log in with the root user or another user with sudo rights and reset the password with the command:
passwd <username>
An incorrect SSH key
Are you using SSH keys and receiving the ‘Permission denied (pubkey)’ error message? Then check if you have generated your SSH key correctly and if the public key has been correctly added to your VPS. You can use our guide 'Generating and using SSH keys’ for this.
However, if you want to log in with a password via SSH and you get this error message, go through the steps in the paragraphs ‘An incorrect username or password’ and ‘An incorrect configuration of the SSH server’.
An incorrect configuration of the SSH server
Are you using the correct username and password but still getting the Permission denied error message? Then this is probably caused by the configuration of your SSH server. The easiest way to rule out configuration issues is to restore the configuration to the default values.
Step 1
Connect to your server via the console in the VPS control panel or the console in Horizon for OpenStack instances.
Step 2
Open the SSH configuration as root user or with sudo:
sudo nano /etc/ssh/sshd_config
Step 3
Most lines are commented out by default. Are you getting a 'Permission Denied' error message, and does your configuration differ from the one below? Then place a # before all lines that are not listed below for the operating system you are using. Save your changes and close the configuration (ctrl + x > y > enter).
AlmaLinux/Rocky Linux/CentOS Stream:
Include /etc/ssh/sshd_config.d/*.conf
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/libexec/openssh/sftp-serverUbuntu:
Include /etc/ssh/sshd_config.d/*.conf
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrimtMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-serverDebian:
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrimtMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-serverNote: For security reasons, some important options in your configuration may not be commented out, such as the options:
- Port <nr>: This adjusts which port is used by your VPS. For security reasons, we recommend changing the SSH port.
- PermitRootLogin: Adjusts whether/how the root user can connect via SSH (e.g., not allowed on Plesk, cPanel, and DirectAdmin installations on our VPS platforms).
- PasswordAuthentication: Whether the user can log in with a password via SSH or, for example, only via SSH keys.
- KbdInteractiveAuthentication: Determines whether s/keys (a type of one-time password) can be used.
If you are unsure whether these options affect your ability to connect to your SSH server, place a # before the lines (except for the Port option).
Step 4
Finally, reload the SSH configuration:
sudo systemctl reload sshdNow try to connect to your SSH server again.
Host Key Verification Failed Error Message: WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
This error message indicates that the host key of the server you are trying to connect to has changed. Typically, you will see this error message after reinstalling your server: your computer still has the old host key stored while it has changed after the reinstallation. It is rare and relatively unlikely that you will receive this message due to something more serious (e.g., if the server has been compromised).
Windows
If you are using Windows with Putty to establish the SSH connection, you can simply accept that a different host key is being offered: your computer will then save it, and you will not see the message again.
Linux
Are you connecting from a Linux distro? Then you can remove the old host key. These are stored in the ~/.ssh/known_hosts directory, and you can remove a specific host key, for example, with the command:
ssh-keygen -R <hostname>Replace <hostname> with the hostname you are trying to connect to via SSH.
SSH: Connect to host <hostname> port 22: Network is unreachable
Your computer/laptop fails to connect to the SSH server. This error message can be caused by:
- The SSH server is offline/There is no active SSH server
- The SSH server is using a different port
- A firewall is blocking the connection
- Selinux is blocking the connection
- You are using a VPN connection
The SSH server is offline/There is no active SSH server
It may seem obvious, but it is possible that your SSH server is not active because it has not started or has crashed. You can rule this out by connecting to your server via the console in the VPS control panel or the console in Horizon for OpenStack instances. Use the root user or a user with sudo rights. Then execute the following command:
sudo systemctl status sshd | grep Active:Do you see "Active: active (running)" in the output? Then your SSH server is active, and another issue might be the cause.
If you see a different status, you can first try restarting the SSH server with the command:
sudo systemctl restart sshdDo you get an error message now? Then check your log files and investigate the specific error message:
journalctl -xe -u sshd
The SSH server is using a different port
We encourage you to change the SSH port of your server. It is important that, when you do so, you keep this in mind when connecting to your server.
You can check if this is the case by connecting to your server via the console in the VPS control panel or the console in Horizon for OpenStack instances as a root user or a user with sudo rights. Then execute the following command:
sudo cat /etc/ssh/sshd_config | grep PortThe output will show you the port number on which SSH is active. Are you already connecting to your SSH server on this port number? Then there might be another reason why you cannot connect to your VPS.
Note that it is important to open this port in your firewall if you are using a different port for SSH. See the next paragraph.
A firewall is blocking the connection
If you are sure that your SSH server is online and know which port it uses, it is possible that the port is being blocked by a firewall or by SeLinux.
The VPS firewall in the TransIP control panel
Check if the VPS firewall in the TransIP control panel is enabled and, if so, whether it allows the correct SSH port (see the previous paragraph).
The firewall on your VPS
Step 1
Before checking whether the firewall on your VPS is blocking the SSH port, it is useful to check which port is used for SSH. Connect to your server via the console in the VPS control panel or the console in Horizon for OpenStack instances as a root user or a user with sudo rights. Then execute the following command:
sudo cat /etc/ssh/sshd_config | grep PortNote/remember the port number you see here.
Step 2
Open the port in your firewall (replace 22 with the actual port number). Is the port already open? Then you will receive a notification, and this is probably not the cause of your connection problems.
AlmaLinux/Rocky Linux/CentOS Stream:
sudo firewall-cmd --permanent --zone=public --remove-port=22/tcp
sudo firewall-cmd --reloadUbuntu/Debian:
ufw allow 22
Selinux is blocking the connection
Security-Enhanced Linux, or SELinux, is a kernel security module typically used in Red Hat systems such as AlmaLinux, Rocky Linux, and CentOS Stream. Selinux controls port access, somewhat similar to a firewall in that respect. To rule out whether Selinux is blocking your SSH connection, follow the steps below.
Step 1
Connect to your server via the console in the VPS control panel or the console in Horizon for OpenStack instances as a root user or a user with sudo rights.
Step 2
Execute the following command:
sestatusThe output will look like this:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31Is the status set to 'enabled' and the mode to ‘enforcing’ (and not, for example, permissive)? Then Selinux is enabled and active. If not, then Selinux is not blocking your SSH port, and you can try another solution.
Step 3
Check if the SSH port is open with the command:
semanage port -l | grep portnumberReplace 'portnumber' with the number of the port you want to check.
Alternatively, you can also check directly by port type (i.e., a specific program/service) with the command:
semanage port -l | grep -w ssh_port_tIs the SSH port closed? You can open it in Selinux with the command:
semanage port --add -t ssh_port_t -p tcp 22Optionally, replace 22 with the number of your SSH port if you have changed it.
You are using a VPN connection
If you are using a VPN connection, you may receive the ‘Network is unreachable’ or ‘Connection timed out’ error message. This usually happens because your firewall only allows the IP address of your VPN connection or perhaps it is not whitelisted in your firewall.
In this case, check whether your VPN connection is on or off and whether a possible firewall is blocking the connection. See the previous paragraph on firewalls in SSH connection issues.
ssh: connect to host [hostname] port 22: Connection timed out
This error message usually indicates that the SSH server cannot be reached. In this case, it is likely that the issue lies with the computer you are trying to connect with to the SSH server. The most common causes of this error message are:
- A DNS issue
- A network issue
- A firewall blocking the connection (possibly in combination with a VPN)
- The SSH server is not active
A DNS issue
When there is a DNS issue, and you are trying to connect with the hostname of your SSH server (e.g., server.example.com), your computer cannot find that hostname. In that case, it is a good idea to try to connect using the IP address of the SSH server, for example, for Linux distros with the command:
ssh <username>@123.123.123.123 Replace <username> with the name of the SSH user and 123.123.123.123 with the IP address of the SSH server.
Can you now establish a connection to your SSH server? Then there is a DNS issue. First, perform a traceroute/MTR to rule out any connection problems, then check the hostname of your SSH server, and finally verify whether the DNS settings of the domain correctly point to your SSH server.
A network issue
It is possible that the problem lies between your computer and the SSH server, for example, with a router between your computer and the SSH server: besides your home router and the one in the data center where your SSH server is located, additional connections are usually made through other networks. To see if there is a network issue somewhere along this route, we recommend running a traceroute/MTR to determine if this is the case.
If your home router is experiencing an issue, usually a restart or reset (these are two different actions) is enough to fix the problem.
ssh: connect to host [hostname] port 22: No route to host
A fairly common error message where the cause often needs to be investigated on the SSH server. The most common causes are:
- The SSH server is down/has no internet connection
- A network issue between your computer and the SSH server
- A firewall blocking the connection (although this often gives the Network is unreachable error message)
The SSH server is down/has no internet connection
To rule out this cause, connect to your server via the console in the VPS control panel or the console in Horizon for OpenStack instances as a root user or a user with sudo rights. Can you log in to your SSH server? Then execute a ping command to the IP address 8.8.8.8:
ping 8.8.8.8Does the ping command succeed? Then your network connection is fine. Also check the status of your SSH server.
ssh: connect to host [hostname] port 22: Connection refused
With this error message, your computer does reach the SSH server, but the server sends back a TCP 'reset' packet because the SSH service is not active or is using a different port. In the following sections, we explain how to investigate this:
Permissions 0644 for 'id_rsa' are too open
This error message indicates that the private key file has permissions that are too broad. You can fix this error message by adjusting the permissions for id_rsa as the root user or a user with sudo rights with the command:
chmod 600 ~/.ssh/id_rsa
This concludes our guide on troubleshooting SSH connection issues. Do you encounter another error message that you would like an explanation for, or have you found a solution that is not mentioned in this article? Then we would love to hear from you via the 'Contact Us' button at the bottom of this article.