Why do I get 'Permission denied (publickey)' even though I copied my key with ssh-copy-id?

The most common cause after a successful ssh-copy-id is incorrect file permissions introduced by a subsequent chmod or chown on the home directory. Run 'chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys' on the server and verify ownership with 'ls -la ~/.ssh'. On SELinux systems, also run 'restorecon -Rv ~/.ssh'. Finally, check that sshd_config has 'PubkeyAuthentication yes' and that your user is not excluded by AllowUsers or DenyUsers directives.

SSH connection refused but the port appears open in nmap — what is happening?

This usually means sshd crashed or was killed between your nmap scan and your ssh attempt, or a load balancer or port-forwarding rule is forwarding port 22 to a host where sshd is not running. On the target host, run 'ss -tlnp | grep :22' to confirm the process holding the port, and 'systemctl status sshd' to check for a crash loop. Also check /var/log/auth.log for 'fatal' messages that caused sshd to exit.

My SSH connection hangs after authentication and never gives me a shell prompt — how do I fix this?

A hang after authentication usually means the remote shell initialization is blocking: a slow NFS mount in /etc/fstab, a .bashrc/.profile with a blocking command, or a broken X11 forwarding attempt. Connect with 'ssh -T user@host' to skip pseudo-terminal allocation, or 'ssh user@host /bin/bash --noprofile --norc' to bypass profile scripts. Check /var/log/auth.log for 'pam_unix' or 'pam_systemd' errors that indicate PAM is blocking session setup.

Why does SSH login take 20–30 seconds but eventually succeed?

A consistent delay before the password/key prompt almost always means sshd is doing a DNS reverse lookup on your client IP (UseDNS yes, the default on many distributions) or GSSAPI Kerberos negotiation is timing out. Fix the first by adding 'UseDNS no' to /etc/ssh/sshd_config and reloading sshd. Fix the second client-side with 'ssh -o GSSAPIAuthentication=no user@host' or permanently in ~/.ssh/config. Confirm by timing 'ssh -o GSSAPIAuthentication=no -o UseDNS=no -v user@host' and watching the debug timestamps.

How do I fix 'WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED' without compromising security?

Do not remove the old key until you verify the new fingerprint out-of-band. For cloud VMs, retrieve the current fingerprint from the cloud console or provider metadata API (e.g., 'aws ec2 get-console-output'). For bare metal, connect via IPMI/iLO console and run 'ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub'. Only after confirming the fingerprint matches should you run 'ssh-keygen -R hostname' to remove the stale entry from ~/.ssh/known_hosts. Blindly removing the entry exposes you to MITM attacks on hostile networks.

SSH Connection Refused: How to Diagnose and Fix Every Variant

Fix SSH connection refused, permission denied, segfault, and slow connections with step-by-step commands. Covers sshd, firewall, keys, and PAM issues.

Last updated: February 23, 2026

Last verified: February 23, 2026

2,054 words

Key Takeaways

'Connection refused' means the TCP handshake never completed — sshd is not listening, a firewall is dropping packets, or you are hitting the wrong host/port
'Permission denied (publickey)' means sshd is reachable but authentication failed — wrong key, wrong user, or bad file permissions on ~/.ssh/authorized_keys
'Connection timed out' usually points to a firewall silently dropping packets rather than an RST, use nc or nmap to confirm the port state
SSH slowness on connect is almost always DNS reverse-lookup (UseDNS yes) or GSSAPI negotiation — both are one-line sshd_config fixes
A segfault in ssh or sshd is nearly always a version/algorithm mismatch or a corrupted host key — check OpenSSH version and regenerate keys if needed

Fix Approaches Compared
Symptom	Root Cause	Fix Command	Time	Risk
Connection refused	sshd not running	systemctl start sshd	<1 min	Low
Connection refused	Wrong port	ssh -p 2222 user@host	<1 min	None
Connection refused	Firewall blocking 22	ufw allow 22/tcp or iptables -I INPUT -p tcp --dport 22 -j ACCEPT	2 min	Medium
Permission denied (publickey)	authorized_keys permissions	chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys	<1 min	Low
Permission denied (publickey)	Wrong key loaded	ssh -i ~/.ssh/id_ed25519 user@host	<1 min	None
Permission denied (publickey)	SELinux/AppArmor label	restorecon -Rv ~/.ssh	2 min	Low
Slow SSH login	UseDNS reverse lookup	Set UseDNS no in sshd_config	1 min	Low
Slow SSH login	GSSAPI negotiation	ssh -o GSSAPIAuthentication=no	<1 min	None
SSH segfault	Algorithm mismatch/old key	Remove stale host key, reconnect	2 min	Low
Host key changed warning	MITM or rebuilt host	ssh-keygen -R hostname	<1 min	Low

Understanding SSH Connection Errors

SSH errors fall into four distinct failure layers: network/transport (TCP never connects), authentication (sshd rejects your credentials), session (shell or subsystem fails post-auth), and performance (connects but slowly). Misdiagnosing the layer wastes hours. This guide works top-down.

Layer 1 — Transport: "Connection refused" and "Connection timed out"

Step 1: Confirm the exact error message

Run ssh with maximum verbosity to see exactly where the handshake fails:

ssh -vvv user@192.0.2.10

Key lines to look for:

connect to host 192.0.2.10 port 22: Connection refused — TCP RST received; sshd is not listening on this address/port.
connect to host 192.0.2.10 port 22: Connection timed out — Firewall is silently dropping packets; no RST arrived.
ssh: connect to host 192.0.2.10 port 22: No route to host — Routing or network-layer problem.

Step 2: Verify sshd is running

# On the remote host:
systemctl status sshd          # systemd systems (RHEL, Ubuntu 16+, Debian 8+)
service ssh status              # SysV / older Ubuntu naming
ps aux | grep sshd

If sshd is stopped, start it and check for config errors:

sshd -t                        # Test config without starting
systemctl start sshd
journalctl -u sshd -n 50       # Recent sshd log entries

Common startup failures:

Port already in use: sshd: Address already in use — Another process holds port 22. Find it: ss -tlnp | grep :22
Bad config syntax: sshd -t will report the offending line.
Missing host key: sshd: no hostkeys available — regenerate: ssh-keygen -A

Step 3: Check which address and port sshd is bound to

ss -tlnp | grep sshd
# Expected: LISTEN 0 128 0.0.0.0:22 ...

If sshd listens on a non-standard port (e.g., 2222), connect with ssh -p 2222. The port is set in /etc/ssh/sshd_config via the Port directive.

Step 4: Rule out firewall

# Test reachability without ssh from a third host or using nc:
nc -zv 192.0.2.10 22
# Open:    succeeded! -> sshd is up, problem is elsewhere
# refused: -> sshd not listening
# timeout: -> firewall dropping

# On the remote host — inspect active firewall rules:
iptables -L INPUT -n -v | grep 22
nft list ruleset | grep 22
ufw status verbose
firewall-cmd --list-all        # firewalld (RHEL/CentOS 7+)

To open port 22 immediately:

# UFW:
ufw allow ssh

# iptables (does not persist across reboots without iptables-persistent):
iptables -I INPUT -p tcp --dport 22 -j ACCEPT

# firewalld:
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload

Layer 2 — Authentication: "Permission denied (publickey)"

Once the TCP connection is established, sshd authenticates you. The most common error is:

debug1: Offering public key: /home/user/.ssh/id_ed25519
debug1: Authentications that can continue: publickey
permission denied (publickey).

Step 1: Check the correct key is being offered

ssh -vvv user@host 2>&1 | grep 'Offering\|Trying\|identity'

If your key is not listed, the ssh-agent may not have it loaded:

ssh-add -l                     # List loaded keys
ssh-add ~/.ssh/id_ed25519      # Add your key

Force a specific key:

ssh -i ~/.ssh/id_ed25519 user@host

Step 2: Verify authorized_keys on the server

cat ~/.ssh/authorized_keys     # Should contain your public key

Permission requirements — any deviation causes silent rejection:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
ls -la ~/.ssh/                 # owner must be the login user, not root

On SELinux-enforcing systems (RHEL, CentOS, Fedora), wrong file context causes the same symptom even with correct permissions:

ls -Z ~/.ssh/authorized_keys   # Check context
restorecon -Rv ~/.ssh          # Restore correct context

Step 3: Check sshd_config on the server

grep -E 'PubkeyAuthentication|AuthorizedKeysFile|PasswordAuthentication|PermitRootLogin|AllowUsers|DenyUsers' /etc/ssh/sshd_config

Key settings that block login:

PubkeyAuthentication no — must be yes
AuthorizedKeysFile pointing to a non-default path
AllowUsers or AllowGroups that excludes your user
PermitRootLogin no when logging in as root

After editing sshd_config, always reload safely (do not restart with an active session):

sshd -t && systemctl reload sshd

Step 4: Inspect /var/log/auth.log or journald

tail -f /var/log/auth.log                   # Debian/Ubuntu
journalctl -fu sshd                         # systemd
grep sshd /var/log/secure | tail -30        # RHEL/CentOS

Telltale log messages:

Authentication refused: bad ownership or modes for directory /home/user/.ssh — fix with chmod 700 ~/.ssh
User user from 1.2.3.4 not allowed because not listed in AllowUsers — update AllowUsers
fatal: Access denied for user root by PAM — PAM policy blocking login (check /etc/pam.d/sshd)

Layer 3 — Performance: Slow SSH Login

A 5–30 second pause before the password/key prompt is almost always one of two things:

DNS reverse lookup: sshd tries to resolve the client IP. Fix in /etc/ssh/sshd_config:

UseDNS no

GSSAPI negotiation: Kerberos probes time out on non-domain machines. Fix client-side (no server change needed):

ssh -o GSSAPIAuthentication=no user@host
# Make permanent in ~/.ssh/config:
Host *
    GSSAPIAuthentication no

Layer 4 — Crashes: "ssh segfault" / Process Aborted

A segfault in the ssh client or sshd daemon is uncommon but happens in three scenarios:

Algorithm incompatibility between old server and new client. OpenSSH 8.8+ disabled RSA/SHA-1. If the server only supports ssh-rsa, the handshake aborts:

# Temporary workaround (client side):
ssh -o PubkeyAcceptedAlgorithms=+ssh-rsa -o HostKeyAlgorithms=+ssh-rsa user@host

# Permanent fix: update openssh-server on the remote host to 8.x+

Corrupted server host key. Regenerate all host keys:

rm /etc/ssh/ssh_host_*
ssh-keygen -A
systemctl restart sshd

Stale known_hosts entry after server rebuild:

# Client side:
ssh-keygen -R hostname
ssh-keygen -R 192.0.2.10

Host Key Changed Warning

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Do not blindly remove the key if you are on a production host — this warning can indicate a man-in-the-middle attack. Verify the new fingerprint out-of-band (console, cloud dashboard, vendor key fingerprint API) before removing:

# Only after verifying legitimacy:
ssh-keygen -R hostname

Quick Reference Checklist

ssh -vvv — identify failure layer
systemctl status sshd — is sshd running?
ss -tlnp | grep sshd — what address/port?
nc -zv host 22 — firewall or sshd?
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
grep -E 'AllowUsers|PubkeyAuth' /etc/ssh/sshd_config
journalctl -u sshd -n 50 — auth log for server-side denial
UseDNS no in sshd_config — fix slow login
ssh-keygen -A — regenerate missing/corrupt host keys
sshd -t && systemctl reload sshd — safe config reload

Frequently Asked Questions

bash

#!/usr/bin/env bash
# ssh-diagnose.sh — Run on the CLIENT to diagnose SSH connection issues
# Usage: bash ssh-diagnose.sh user@host [port]

TARGET="${1:-}"
PORT="${2:-22}"

if [[ -z "$TARGET" ]]; then
  echo "Usage: $0 user@host [port]"
  exit 1
fi

HOST="${TARGET##*@}"

echo "=== 1. TCP reachability (nc) ==="
nc -zv -w 5 "$HOST" "$PORT" 2>&1 && echo "[OK] Port $PORT open" || echo "[FAIL] Port $PORT closed or filtered"

echo ""
echo "=== 2. SSH verbose connect (first 40 lines) ==="
ssh -vvv -p "$PORT" -o ConnectTimeout=10 -o BatchMode=yes "$TARGET" exit 2>&1 | head -40

echo ""
echo "=== 3. Loaded SSH keys ==="
ssh-add -l 2>/dev/null || echo "[WARN] ssh-agent not running or no keys loaded"

echo ""
echo "=== 4. Known hosts entry for $HOST ==="
ssh-keygen -F "$HOST" 2>/dev/null || echo "[INFO] No known_hosts entry for $HOST"

echo ""
echo "=== 5. Client SSH config for $HOST ==="
ssh -G -p "$PORT" "$TARGET" 2>/dev/null | grep -E 'hostname|port|user|identityfile|gssapi|pubkeyauthentication'

echo ""
echo "=== REMOTE: Run these on the server ==="
cat <<'REMOTE'
# Check sshd status:
systemctl status sshd

# Check listening address and port:
ss -tlnp | grep sshd

# Check firewall:
ufw status verbose || firewall-cmd --list-all || iptables -L INPUT -n -v | grep 22

# Check authorized_keys permissions:
ls -la ~/.ssh/authorized_keys

# Check sshd_config for auth restrictions:
grep -E 'PubkeyAuth|PasswordAuth|AllowUsers|DenyUsers|PermitRoot|AuthorizedKeysFile' /etc/ssh/sshd_config

# Tail the auth log:
journalctl -u sshd -n 30 --no-pager
# or: tail -30 /var/log/auth.log

# Test sshd config syntax:
sshd -t && echo "Config OK"
REMOTE

Error Medic Editorial

Error Medic Editorial is a team of senior DevOps and SRE engineers with combined experience across Linux, cloud infrastructure, and distributed systems. Articles are peer-reviewed against current documentation and tested on live systems before publication.

Sources

Explore More Linux Sysadmin Guides

Apache Crash & Not Working: Complete Troubleshooting Guide (Connection Refused, OOM, Core Dump)

Fix Apache crashes, connection refused errors, and OOM kills in minutes. Step-by-step diagnostic commands, MPM tuning, and core dump analysis included.

AWS Redis Connection Refused: Troubleshooting ECONNREFUSED and tcp 127.0.0.1:6379

Fix 'Redis connection refused' errors in AWS, Kubernetes, Laravel, and WSL. Learn how to diagnose binding issues, security groups, and network configurations.

Comprehensive Guide to Fixing Nginx 502 Bad Gateway, 504 Timeouts, and Core Crashes

Diagnose and resolve Nginx 502 Bad Gateway, 504 Timeouts, connection refused errors, out-of-memory crashes, and permission denied issues with this SRE guide.