SSH troubleshooting is an essential skill for system administrators and developers. When SSH connection issues arise, systematic diagnosis and resolution of various connection, authentication, and configuration problems are required.
Common Connection Issues
1. Connection Timeout
Symptoms:
ssh: connect to host hostname port 22: Connection timed out
Troubleshooting Steps:
# Check network connectivity ping hostname # Check if port is open telnet hostname 22 nc -zv hostname 22 # Check firewall sudo iptables -L -n | grep 22 sudo ufw status # Check SSH service status sudo systemctl status sshd sudo netstat -tlnp | grep :22
Solutions:
- Check server firewall rules
- Confirm SSH service is running
- Check network routing and connectivity
- Verify port is being listened on correctly
2. Connection Refused
Symptoms:
ssh: connect to host hostname port 22: Connection refused
Troubleshooting Steps:
# Check SSH service status sudo systemctl status sshd # Check SSH configuration sudo sshd -t # Check listening port sudo netstat -tlnp | grep sshd # View error logs sudo tail -f /var/log/auth.log
Solutions:
- Start SSH service:
sudo systemctl start sshd - Fix configuration errors:
sudo sshd -t - Check if port configuration is correct
- View system logs for detailed error information
Authentication Issues
1. Password Authentication Failure
Symptoms:
user@hostname's password: Permission denied, please try again.
Troubleshooting Steps:
# Check user account id username grep username /etc/passwd # Check if password authentication is enabled sudo grep "PasswordAuthentication" /etc/ssh/sshd_config # Check account status sudo passwd -S username # View authentication logs sudo tail -f /var/log/auth.log | grep "Failed password"
Solutions:
- Confirm password is correct
- Check if account is locked
- Verify password authentication is enabled
- Reset user password
2. Public Key Authentication Failure
Symptoms:
Permission denied (publickey).
Troubleshooting Steps:
# Client side check ls -la ~/.ssh/ ssh-add -l # Server side check ls -la ~/.ssh/authorized_keys cat ~/.ssh/authorized_keys # Check permissions stat ~/.ssh stat ~/.ssh/authorized_keys # Verbose debugging ssh -vvv user@hostname
Solutions:
# Fix file permissions chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys chmod 600 ~/.ssh/id_rsa chmod 644 ~/.ssh/id_rsa.pub # Check SELinux getenforce restorecon -R -v ~/.ssh # Add key to server ssh-copy-id user@hostname
Configuration Issues
1. Host Key Verification Failure
Symptoms:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Solutions:
# Remove old host key ssh-keygen -R hostname # Or manually remove sed -i '/hostname/d' ~/.ssh/known_hosts # Reconnect ssh user@hostname
2. Configuration File Errors
Symptoms:
Bad configuration option
Troubleshooting Steps:
# Test configuration file ssh -F ~/.ssh/config user@hostname # Test server configuration sudo sshd -t # View detailed errors sudo sshd -T
Solutions:
- Fix configuration file syntax errors
- Check if configuration options are correct
- Reference official documentation to verify configuration
Performance Issues
1. Slow Connection Establishment
Troubleshooting Steps:
# Verbose debugging ssh -vvv user@hostname # Check DNS resolution time nslookup hostname dig hostname # Check GSSAPI authentication ssh -o GSSAPIAuthentication=no user@hostname
Solutions:
# ~/.ssh/config Host * GSSAPIAuthentication no UseDNS no AddressFamily inet
2. Slow Data Transfer
Troubleshooting Steps:
# Test network speed iperf3 -c hostname # Check encryption algorithms ssh -Q cipher # Test different algorithms ssh -c aes256-ctr user@hostname
Solutions:
# Enable compression ssh -C user@hostname # Use faster encryption algorithms ssh -c chacha20-poly1305@openssh.com user@hostname # Adjust MTU ssh -o IPQoS=lowdelay user@hostname
Log Analysis
Key Log Locations
# System authentication logs /var/log/auth.log # Debian/Ubuntu /var/log/secure # CentOS/RHEL # SSH daemon logs journalctl -u sshd # Verbose connection logs sudo tail -f /var/log/auth.log | grep sshd
Common Log Patterns
# Successful logins grep "Accepted" /var/log/auth.log # Failed logins grep "Failed" /var/log/auth.log # Invalid users grep "Invalid user" /var/log/auth.log # Disconnections grep "Disconnected" /var/log/auth.log
Advanced Debugging Techniques
1. Using strace
# Trace SSH client strace -e trace=network ssh user@hostname # Trace SSH daemon sudo strace -p $(pidof sshd)
2. Using tcpdump
# Capture SSH traffic sudo tcpdump -i eth0 -w ssh.pcap port 22 # Analyze traffic sudo tcpdump -r ssh.pcap -A | grep "SSH"
3. Using wireshark
# Capture and analyze sudo tshark -i eth0 -f "port 22" -Y "ssh"
Preventive Measures
1. Regular Testing
# Test configuration sudo sshd -t # Test connection ssh -o ConnectTimeout=5 user@hostname "echo OK"
2. Monitoring Scripts
#!/bin/bash # SSH health check script HOST="hostname" USER="username" if ssh -o ConnectTimeout=10 -o BatchMode=yes $USER@$HOST "echo OK" > /dev/null 2>&1; then echo "SSH connection OK" else echo "SSH connection FAILED" # Send alert fi
3. Configuration Backup
# Regularly backup configuration sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d) # Backup keys tar -czf ssh_backup_$(date +%Y%m%d).tar.gz ~/.ssh/
SSH troubleshooting requires a systematic approach and patience. By systematically eliminating the root cause of problems, most SSH connection issues can be effectively resolved.