Ubuntu - SSH - Troubleshooting SSH

First, check that the SSH daemon is running:

sudo ps -A | grep sshd

This command should produce a line(s) like this:

<some number> ?   00:00:00   sshd

If there is no line, your SSH daemon is not running. If it is, you should next check that it's listening for incoming connections:

sudo netstat --inet -lpn | grep sshd

This command should produce a line that looks like this:

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN <same number>/sshd

If there is more than one line, then your SSH daemon is listening on more than one port - you might want to go back and delete some Port lines in your sshd_config file.

If there are no lines, your SSH daemon isn't listening on any ports, so you need to add at least one Port line. If the line specifies something other than “0.0.0.0:22”, then your SSH daemon is listening on a non-standard port or address, which you might want to fix.

Next, try logging in from your own computer:

sudo ssh -v localhost

…which should show something like:

OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: connect to address 127.0.0.1 port 22: Connection refused
ssh: connect to host localhost port 22: Connection refused

Notice that the connection was refused. This is due to the earlier config that limited access only from 192.168.0.11. In this case, that allowed IP address was not used, and an attempt was made to login using localhost instead.

Lets retry logging in using an allowed IP address:

sudo ssh -v 192.168.0.11

…which should show something like:

OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.0.11 [192.168.0.11] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: SELinux support disabled
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2p2 Ubuntu-6ubuntu0.1
debug1: match: OpenSSH_6.2p2 Ubuntu-6ubuntu0.1 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA b7:60:9d:55:7e:43:6a:33:f8:b1:57:54:93:4a:b7:b3
The authenticity of host '192.168.0.11 (192.168.0.11)' can't be established.
ECDSA key fingerprint is b7:60:9d:55:7e:43:6a:33:f8:b1:57:54:93:4a:b7:b3.
Are you sure you want to continue connecting (yes/no)?

This will print a lot of debugging information, and will then prompt whether you want to connect.

Enter yes.

…which should show some additional lines:

Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.11' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
Write failed: Broken pipe

The Write failed: Broken pipe message is caused by a timeout issue. You may recall that the login time was limited in the earlier config.

NOTE: This has however added our WAN IP address into the list of known hosts.

Simply rerun by issuing the following command again.

sudo ssh -v 192.168.0.11

…which should show something like:

debug1: Server host key: ECDSA b7:60:9d:55:7e:43:6a:33:f8:b1:57:54:93:4a:b7:b3
debug1: Host '192.168.1.11' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: password
root@192.168.1.11's password:

Remember that the password will only be accepted if the corresponding user is allowed access in by SSH.

In this case this would not work, as root was not an allowed user.

Try logging in from a valid user's account. For instance to login using john as the username use:

sudo ssh -v 192.168.0.11 -l john

…which should show something like:

...
john@192.168.1.11's password:
debug1: Authentication succeeded (password).
Authenticated to 192.168.1.11 ([192.168.1.11]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_GB.UTF-8
debug1: Sending env LC_ADDRESS = en_GB.UTF-8
debug1: Sending env LC_MONETARY = en_GB.UTF-8
debug1: Sending env LC_NUMERIC = en_GB.UTF-8
debug1: Sending env LC_TELEPHONE = en_GB.UTF-8
debug1: Sending env LC_IDENTIFICATION = en_GB.UTF-8
debug1: Sending env LANG = en_GB.UTF-8
debug1: Sending env LC_MEASUREMENT = en_GB.UTF-8
debug1: Sending env LC_TIME = en_GB.UTF-8
debug1: Sending env LC_NAME = en_GB.UTF-8
Welcome to Ubuntu 13.10 (GNU/Linux 3.11.0-18-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com/
 
  System information as of Mon Mar 24 21:38:35 GMT 2014
 
  System load:    0.08            Processes:           117
  Usage of /home: 0.4% of 452MB   Users logged in:     0
  Memory usage:   3%              IP address for eth0: 192.168.1.11
  Swap usage:     0%              IP address for eth1: 192.168.2.1
 
  Graph this data and manage this system at:
    https://landscape.canonical.com/
 
Last login: Mon Mar 24 21:38:41 2014 from 192.168.1.184

If nothing happens, you might need to tell your computer's firewall to allow connections on port 22 (See the FireWall Security section). Once logged in, to leave the SSH command-line, type:

exit