Ubuntu SSH Connection Troubleshooting Checklist
What You'll Learn
- How to systematically troubleshoot SSH connection issues
- How to fix
Permission denied (publickey)andHost key verification failed - Avoid common pitfalls with key files, permissions, known_hosts, and sshd configuration
💡 Quick Summary
Check in this order to avoid getting lost:
- Correct host and port? (DNS/IP, non-standard ports)
- Key authentication failing? (
Permission denied (publickey)) - known_hosts issue? (
Host key verification failed) - Server-side sshd running? (
systemctl status ssh/ logs)
Table of Contents
⚠️ Prerequisites
- Client: Ubuntu (concepts apply to macOS etc.)
- Server: Ubuntu (OpenSSH server)
- Permissions:
sudowhen needed (server-side checks)
1. Basic Connection Commands
$ ssh user@server.example.com
Specifying a port (e.g., 2222):
$ ssh -p 2222 user@server.example.com
Specifying a key file:
$ ssh -i ~/.ssh/id_ed25519 user@server.example.com
2. Debug with -v Flag (Start Here)
Verbose output is the fastest way to identify the issue.
$ ssh -v user@server.example.com
Even more detail (when needed):
$ ssh -vv user@server.example.com
Case A: Permission denied (publickey)
Meaning: Server is reachable but key authentication was rejected
Check 1: Key file exists?
$ ls -la ~/.ssh
Check 2: Key file permissions (wrong permissions = key won't work)
Recommended permissions:
- Private key:
600 .sshdirectory:700
$ chmod 700 ~/.ssh $ chmod 600 ~/.ssh/id_ed25519
Check 3: Explicitly specify which key
$ ssh -i ~/.ssh/id_ed25519 user@server.example.com
Check 4: Public key registered on server?
On the server (via console or alternative access):
$ ls -la /home/user/.ssh $ ls -la /home/user/.ssh/authorized_keys
Fix permissions:
$ chmod 700 /home/user/.ssh $ chmod 600 /home/user/.ssh/authorized_keys $ chown -R user:user /home/user/.ssh
💡 If the public key isn't in authorized_keys, authentication will fail even with the correct key.
Case B: Host key verification failed
Meaning: SSH is verifying "Is this really the same server I connected to before?" Common after server rebuilds or IP reuse.
Fix (remove the host entry from known_hosts):
$ ssh-keygen -R server.example.com
If connecting by IP:
$ ssh-keygen -R 203.0.113.10
Then reconnect and verify the fingerprint before accepting.
Case C: Connection timed out
Meaning: Network unreachable (firewall/security group/routing/wrong port)
Check 1: DNS resolving?
$ dig server.example.com +short
Check 2: Port open?
Using nc:
$ nc -vz server.example.com 22
Different port:
$ nc -vz server.example.com 2222
timed out means "can't reach at all" - this is a network problem, not a key problem.
Case D: Connection refused
Meaning: Server is reachable but SSH isn't listening on that port
Check 1: sshd service running?
On Ubuntu, the service is usually named ssh:
$ sudo systemctl status ssh
Start it:
$ sudo systemctl start ssh
Enable auto-start:
$ sudo systemctl enable ssh
Check 2: Verify listening port
$ sudo ss -lntp | grep ssh
4. Server-Side Log Investigation (journalctl)
Server logs can definitively identify the issue:
$ sudo journalctl -u ssh -n 200
Follow logs in real-time:
$ sudo journalctl -u ssh -f
The reason for Permission denied (wrong key/wrong user) often appears in logs.
⚠️ Safety Notes
- Don't blindly accept unknown Host Keys (risk of man-in-the-middle attacks)
- Key permissions should be strict (private key must be
600or it may be rejected) - Server rebuilds often cause known_hosts mismatches
📋 Test Environment
Commands tested on Ubuntu 24.04 LTS / bash 5.2.