Troubleshoot SSH connections to an Azure Linux VM that fails, errors out, or is refused
Applies to: ✔️ Linux VMs
This article helps you find and correct the problems that occur due to Secure Shell (SSH) errors, SSH connection failures, or SSH is refused when you try to connect to a Linux virtual machine (VM). You can use the Azure portal, Azure CLI, or VM Access Extension for Linux to troubleshoot and resolve connection problems.
Note
Was this article helpful? Your input is important to us. Please use the Feedback button on this page to let us know how well this article worked for you or how we can improve it.
Quick troubleshooting steps
After each troubleshooting step, try reconnecting to the VM.
- Reset the SSH configuration.
- Reset the credentials for the user.
- Verify the network security group rules permit SSH traffic and role assignment.
- Ensure that a Network Security Group rule exists to permit SSH traffic (by default, TCP port 22).
- You cannot use port redirection / mapping without using an Azure load balancer.
- If you are using Microsoft Entra ID to manage SSH logins, the user must be assigned the Virtual Machine Administrator Login or Virtual Machine User Login role on the resource group that contains the VM and its associated resources. Otherwise, the "Permission denied (publickey)" error will be received. For more information, see Configure role assignments for the VM that uses Microsoft Entra login.
- Check the VM resource health.
- Ensure that the VM reports as being healthy.
- If you have boot diagnostics enabled, verify the VM is not reporting boot errors in the logs.
- Restart the VM.
- Redeploy the VM.
Continue reading for more detailed troubleshooting steps and explanations.
Available methods to troubleshoot SSH connection issues
You can reset credentials, SSH configuration, or troubleshoot the status of the SSH service by using one of the following methods:
- Azure portal - great if you need to quickly reset the SSH configuration or SSH key and you don't have the Azure tools installed.
- Azure VM Serial Console - the VM serial console will work regardless of the SSH configuration, and will provide you with an interactive console to your VM. In fact, "can't SSH" situations are specifically what the serial console was designed to help solve. More details below.
- Use Run Command through Azure portal - You can run basic commands by using the Run Command functionality through the Azure portal. The output will be returned to the portal.
- Azure CLI - if you are already on the command line, quickly reset the SSH configuration or credentials.
- Azure VMAccessForLinux extension - create and reuse json definition files to reset the SSH configuration or user credentials.
After each troubleshooting step, try connecting to your VM again. If you still cannot connect, try the next step.
Use the Azure portal
The Azure portal provides a quick way to reset the SSH configuration or user credentials without installing any tools on your local computer.
To begin, select your VM in the Azure portal. Scroll down to the Help section and select Reset password as in the following example:
Reset the SSH configuration
To reset the SSH configuration, select Reset configuration only
in the Mode section as in the preceding screenshot, then select Update. Once this action has completed, try to access your VM again.
Reset SSH credentials for a user
To reset the credentials of an existing user, select either Reset SSH public key
or Reset password
in the Mode section as in the preceding screenshot. Specify the username and an SSH key or new password, then select Update.
You can also create a user with sudo privileges on the VM from this menu. Enter a new username and associated password or SSH key, and then select Update.
Check security rules
Use IP flow verify to confirm if a rule in a network security group is blocking traffic to or from a virtual machine. You can also review effective security group rules to ensure inbound "Allow" NSG rule exists and is prioritized for SSH port (default 22). For more information, see Using effective security rules to troubleshoot VM traffic flow.
Check routing
Use Network Watcher's Next hop capability to confirm that a route isn't preventing traffic from being routed to or from a virtual machine. You can also review effective routes to see all effective routes for a network interface. For more information, see Using effective routes to troubleshoot VM traffic flow.
Use the Azure VM Serial Console
The Azure VM Serial Console provides access to a text-based console for Linux virtual machines. You can use the console to troubleshoot your SSH connection in an interactive shell. Ensure you have met the prerequisites for using Serial Console and try the commands below to further troubleshoot your SSH connectivity.
Check that SSH service is running
To check the service status, use the following command, which is available in most current Linux distributions:
sudo systemctl status sshd.service
See the following output example. Check the service status from the Active
line in the output. The output also shows the port and IP addresses being listened to.
user@hostname:~$ sudo systemctl status sshd.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-06-23 17:44:36 UTC; 1 day 3h ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 829 (sshd)
Tasks: 1 (limit: 9535)
Memory: 5.1M
CGroup: /system.slice/ssh.service
└─829 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
Jun 23 17:44:35 ubu2004 systemd[1]: Starting OpenBSD Secure Shell server...
Jun 23 17:44:36 ubu2004 sshd[829]: Server listening on 0.0.0.0 port 22.
Jun 23 17:44:36 ubu2004 sshd[829]: Server listening on :: port 22.
Jun 23 17:44:36 ubu2004 systemd[1]: Started OpenBSD Secure Shell server.
If this command isn't available or returns unexpected results, use other available commands. You can use the ss
command either as root or via the sudo
command to verify whether the SSH service is running on your VM.
The following example shows how to run the ss
command through sudo
:
sudo ss --listen --tcp --process --numeric | grep sshd
Note
We recommend the ss
command because the netstat
command is deprecated and not always available in modern distributions.
If there is any output, SSH is up and running. See the following output example:
$ sudo ss -ltpn | grep sshd
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=829,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=829,fd=4))
-ltpn
is the shortened form of the --listen --tcp --process –numeric
arguments. The output shows that the SSHD process 829 is listening on both IPv4 and IPv6 addresses.
Check which port SSH is running on
The command output above shows that the SSHD process is listening on port 22. When the SSHD process is configured to run on another port, the port will be displayed in the output. To check if the change was made in the standard configuration file, examine the default configuration file, /etc/ssh/sshd_config by using one of the following commands:
grep -i port /etc/ssh/sshd_config
or
grep -i listen /etc/ssh/sshd_config
The output will look like the following:
Port 22
Any line that begins with #
in the output is a comment and can be safely ignored. If nothing is returned, or the lines are comments, the default configuration is used. The default configuration is to listen to all IP addresses on the system, on port 22.
Use Run Command through Azure portal
If you are not able to run commands through the Serial Console, for example when only SSH keys are used for authentication, the Run Command feature can be used to issue commands and view the output. All commands that were previously run from the Serial Console can be run non-interactively in the Run Command section in the Azure portal. The output will be returned to the Azure portal. There is no need to use sudo
to run commands in the Run Command context.
Use the Azure CLI
If you haven't already, install the latest Azure CLI and sign in to an Azure account using az login.
If you created and uploaded a custom Linux disk image, make sure the Microsoft Azure Linux Agent version 2.0.5 or later is installed. For VMs created using Gallery images, this access extension is already installed and configured for you.
Reset SSH configuration
You can initially try resetting the SSH configuration to default values and rebooting the SSH server on the VM. This does not change the user account name, password, or SSH keys.
The following example uses az vm user reset-ssh to reset the SSH configuration on the VM named myVM
in myResourceGroup
. Use your own values as follows:
az vm user reset-ssh --resource-group myResourceGroup --name myVM
Reset SSH credentials for a user
The following example uses az vm user update to reset the credentials for myUsername
to the value specified in myPassword
, on the VM named myVM
in myResourceGroup
. Use your own values as follows:
az vm user update --resource-group myResourceGroup --name myVM \
--username myUsername --password myPassword
If using SSH key authentication, you can reset the SSH key for a given user. The following example uses az vm access set-linux-user to update the SSH key stored in ~/.ssh/id_rsa.pub
for the user named myUsername
, on the VM named myVM
in myResourceGroup
. Use your own values as follows:
az vm user update --resource-group myResourceGroup --name myVM \
--username myUsername --ssh-key-value ~/.ssh/id_rsa.pub
Use the VMAccess extension
The VM Access Extension for Linux reads in a json file that defines actions to carry out. These actions include resetting SSHD, resetting an SSH key, or adding a user. You still use the Azure CLI to call the VMAccess extension, but you can reuse the json files across multiple VMs if desired. This approach allows you to create a repository of json files that can then be called for given scenarios.
Reset SSHD
Create a file named settings.json
with the following content:
{
"reset_ssh":True
}
Using the Azure CLI, you then call the VMAccessForLinux
extension to reset your SSHD connection by specifying your json file. The following example uses az vm extension set to reset SSHD on the VM named myVM
in myResourceGroup
. Use your own values as follows:
az vm extension set --resource-group philmea --vm-name Ubuntu \
--name VMAccessForLinux --publisher Microsoft.OSTCExtensions --version 1.2 --settings settings.json
Reset SSH credentials for a user
If SSHD appears to function correctly, you can reset the credentials for a giver user. To reset the password for a user, create a file named settings.json
. The following example resets the credentials for myUsername
to the value specified in myPassword
. Enter the following lines into your settings.json
file, using your own values:
{
"username":"myUsername", "password":"myPassword"
}
Or to reset the SSH key for a user, first create a file named settings.json
. The following example resets the credentials for myUsername
to the value specified in myPassword
, on the VM named myVM
in myResourceGroup
. Enter the following lines into your settings.json
file, using your own values:
{
"username":"myUsername", "ssh_key":"mySSHKey"
}
After creating your json file, use the Azure CLI to call the VMAccessForLinux
extension to reset your SSH user credentials by specifying your json file. The following example resets credentials on the VM named myVM
in myResourceGroup
. Use your own values as follows:
az vm extension set --resource-group philmea --vm-name Ubuntu \
--name VMAccessForLinux --publisher Microsoft.OSTCExtensions --version 1.2 --settings settings.json
Reset SSH configuration
The SSHD configuration itself may be misconfigured or the service encountered an error. You can reset SSHD to make sure the SSH configuration itself is valid. Resetting SSHD should be the first troubleshooting step you take.
The following example resets SSHD on a VM named myVM
in the resource group named myResourceGroup
. Use your own VM and resource group names as follows:
azure vm reset-access --resource-group myResourceGroup --name myVM \
--reset-ssh
Reset SSH credentials for a user
If SSHD appears to function correctly, you can reset the password for a giver user. The following example resets the credentials for myUsername
to the value specified in myPassword
, on the VM named myVM
in myResourceGroup
. Use your own values as follows:
azure vm reset-access --resource-group myResourceGroup --name myVM \
--user-name myUsername --password myPassword
If using SSH key authentication, you can reset the SSH key for a given user. The following example updates the SSH key stored in ~/.ssh/id_rsa.pub
for the user named myUsername
, on the VM named myVM
in myResourceGroup
. Use your own values as follows:
azure vm reset-access --resource-group myResourceGroup --name myVM \
--user-name myUsername --ssh-key-file ~/.ssh/id_rsa.pub
Restart a VM
If you have reset the SSH configuration and user credentials, or encountered an error in doing so, you can try restarting the VM to address underlying compute issues.
Azure portal
To restart a VM using the Azure portal, select your VM and then select Restart as in the following example:
Azure CLI
The following example uses az vm restart to restart the VM named myVM
in the resource group named myResourceGroup
. Use your own values as follows:
az vm restart --resource-group myResourceGroup --name myVM
Redeploy a VM
You can redeploy a VM to another node within Azure, which may correct any underlying networking issues. For information about redeploying a VM, see Redeploy virtual machine to new Azure node.
Note
After this operation finishes, ephemeral disk data is lost and dynamic IP addresses that are associated with the virtual machine are updated.
Azure portal
To redeploy a VM using the Azure portal, select your VM and scroll down to the Help section. Select Redeploy as in the following example:
Azure CLI
The following example use az vm redeploy to redeploy the VM named myVM
in the resource group named myResourceGroup
. Use your own values as follows:
az vm redeploy --resource-group myResourceGroup --name myVM
Additional resources
- If you are still unable to SSH to your VM after following the after steps, see more detailed troubleshooting steps to review additional steps to resolve your issue.
- For more information about troubleshooting application access, see Troubleshoot access to an application running on an Azure virtual machine
- For more information about troubleshooting virtual machines that were created by using the classic deployment model, see How to reset a password or SSH for Linux-based virtual machines.
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.