Computer Laboratory

Troubleshooting SSH connections

This page gives some advice about troubleshooting SSH connections. But first,

Do you understand enough about how SSH works?

First, make sure you understand everything explained in Overview of SSH. If you don't then you are going to find it very difficult to fix problems.

SSH connections to the Lab machines are failing from machines outside the Lab

Whatever operating system you are using on the machine you are connecting from you must check the following on your Lab unix account (i.e. the machine you are connecting to.)

Is your home directory or your .ssh/ directory group or world-writable?

It shouldn't be. Type

$ ls -ld ~ ~/.ssh
drwx------ 218 ig206 ig206 77824 2006-10-06 13:17 /home/ig206
drwx------   2 ig206 ig206  4096 2006-09-29 13:34 /home/ig206/.ssh

You should see something like the above output. Note the absence of w in the 6th and 9th columns of the mode string at the start of each line. This indicates that 'group' and 'others' do not have write access the directories.

If you have the group or other write bits set then clear them with the command

$ chmod go-w ~ ~/.ssh

Are you connecting using IPv6?

You can test this on the machine you are connecting from by connecting with the option 4

$ ssh -4 [Javascript required]

If that works but the connection fails without the -4 option then you need to modify your authorized_keys file to permit access from the appropriate IPv6 subnet. Suitable examples are

from="*:*"Maches any IPv6 address
from="2001:0630:0210::/44"Matches any IPv6 within the Computer Laboratory
from="2001:0630:0212:0200::/56"Matches any IPv6 within the Computer Laboratory
from="2001:0630:0212:02ab::/64"Matches any IPv6 from the Internal-CL wireless network

The IPv6 pattern can be combined with IPv4 patterns and name patterns in a single from clause such as


Have you set up the ~/.ssh/authorized_keys file correctly?

Note that the spelling is the American form authorized_keys with a z.

Make sure the file is not group or world writable:

$ ls -l ~/.ssh/authorized_keys
-rw------- 1 ig206 ig206 6924 2006-08-11 15:33 /home/ig206/.ssh/authorized_keys

If you have the group or other write bits set then clear them with the command

$ chmod go-w ~ ~/.ssh/authorized_keys

Have you set up the public key line(s) in the ~/.ssh/authorized_keys file correctly?

The from option on each line should be a comma-separated list of fully qualified domain names in double quotes. The names are the names of hosts which can log in using that key. The names can include the * character as a wildcard.

The OpenSSH public key is a single string of ASCII letters and numbers (with no linefeeds or carriage-returns) followed by a key identifier, perhaps of the form login@host but it is not important exactly what this is.)

To check, type this

grep '^from' ~/.ssh/authorized_keys

This should produce one or more lines, each looking something like this:

from="*" ssh-rsa KKKKKKKK XXXXX

Here KKKKKKKK is the public key string and XXXXX is the key identifier.

Is the public key in the ~/.ssh/authorized_keys file in the correct format?

The public key listed in ~/.ssh/authorized_keys must be in the OpenSSH format. If the key is an SSH2 key then it will look like this

Comment: "test key [2048-bit dsa]"

This is wrong. You need convert such a key using the command

ssh-keygen -i -f public-key-file

Where public-key-file is the name of the file containing the SSH2 format public key. This will output the OpenSSH format key on stdout. You can pipe the key directly into your authorized_keys file using some commands like this

echo -n 'from="*"' >> ~/.ssh/authorized_keys
echo $(ssh-keygen -i -f public-key-file) >> ~/.ssh/authorized_keys

Where * and public-key-file are your host address(es) and public key file-name.