[SOLVED] Can't SSH into and ssh-copy to the proxmox server from Ubuntu 20.04

Jul 22, 2021
33
2
8
23
I am not able to ssh into the proxmox server
I have tried copying the RSA pub_key to the remote server using this command.
Code:
ssh-copy-id -i ~/.ssh/id_ed25519.pub root@192.xxx.xx.2

It says timed out.

the UFW is disabled on the destination proxmox server.
The firewalls are empty in the Proxmox Web Console(attached a pic)

Thank you.

Screenshot from 2021-08-04 17-54-08.png
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
4,327
518
118
hi,

the UFW is disabled on the destination proxmox server.
why is there ufw installed? it's not needed, you can configure PVE firewall -- ufw will add another layer of confusion unless you know what you're doing

I am not able to ssh into the proxmox server
I have tried copying the RSA pub_key to the remote server using this command.
is ssh service running? and port 22 is open?

on the GUI go to the node shell and check if it's listening:

Code:
ss -antlp | grep ssh
you should see something like
Code:
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*    users:(("sshd",pid=949,fd=3))
LISTEN 0      128             [::]:22           [::]:*    users:(("sshd",pid=949,fd=4))

check if port 22 is accessible from your other machine:
Code:
nc your.proxmox.ip.here 22 -vn
should return open.

and what do you get if you run ssh from another machine:
Code:
ssh -vv root@your.proxmox.ip.here

please post the output here.
 
  • Like
Reactions: Tmanok
Jul 22, 2021
33
2
8
23
hi,


why is there ufw installed? it's not needed, you can configure PVE firewall -- ufw will add another layer of confusion unless you know what you're doing


is ssh service running? and port 22 is open?

on the GUI go to the node shell and check if it's listening:

Code:
ss -antlp | grep ssh
you should see something like
Code:
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*    users:(("sshd",pid=949,fd=3))
LISTEN 0      128             [::]:22           [::]:*    users:(("sshd",pid=949,fd=4))

check if port 22 is accessible from your other machine:
Code:
nc your.proxmox.ip.here 22 -vn
should return open.

and what do you get if you run ssh from another machine:
Code:
ssh -vv root@your.proxmox.ip.here

please post the output here.
Code:
ss -antlp | grep ssh
LISTEN    0         128                0.0.0.0:22               0.0.0.0:*        users:(("sshd",pid=1478,fd=3))                                                 
LISTEN    0         128                   [::]:22                  [::]:*        users:(("sshd",pid=1478,fd=4))

Code:
nc 192.xxx.xx.2 -vn
Output: Got nothing(It keeps on listening)

Code:
ssh -vv root@192.xxx.xx.2
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.xxx.xx.2 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.10.2 [192.xxx.xx.2] port 22.
(After this it is not printing anything keeps on listening)
 

Dunuin

Famous Member
Jun 30, 2020
4,222
917
143
Germany
Is root allowed to login? Per default root shouldn't be allowed to login using SSH (atleast not without a rsa key). Look at the /etc/ssh/sshd_config and search for Rootloginallowed.
 
Jul 22, 2021
33
2
8
23
Is root allowed to login? Per default root shouldn't be allowed to login using SSH (atleast not without a rsa key). Look at the /etc/ssh/sshd_config and search for Rootloginallowed.
Yeah, I think the root is allowed to log in.
Code:
cat /etc/ssh/sshd_config
PermitRootLogin yes
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
4,327
518
118
Output: Got nothing(It keeps on listening)
interesting, it seems the port isn't reachable at all but the service is running. that could probably be a firewall problem -- please check pve-firewall status

The firewalls are empty in the Proxmox Web Console(attached a pic)
can you check both the "Node" firewall and the "Datacenter" firewall levels?

also make sure "ufw" isn't running or enabled since that will create issues, ufw status should show you inactive, run ufw disable to make sure
 
Jul 22, 2021
33
2
8
23
interesting, it seems the port isn't reachable at all but the service is running. that could probably be a firewall problem -- please check pve-firewall status


can you check both the "Node" firewall and the "Datacenter" firewall levels?

also make sure "ufw" isn't running or enabled since that will create issues, ufw status should show you inactive, run ufw disable to make sure
  1. pve-firewall status gives
    Code:
    Status: disabled/running
  2. ufw status :
    Code:
    Status: inactive
  3. I have checked with both Datacenter and Node level firewalls. No security Group is added.
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
4,327
518
118
can you ssh on localhost? if you're on your PVE machine and run ssh root@localhost does it log you in?

if not, then we have bigger issues
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
4,327
518
118
just to be clear, are you connecting from a VM? or is this a regular machine running ubuntu, in the same network?

* can you ping the server IP from another machine?

* traceroute your.pve.ip.here

* iptables-save

please post the outputs
 
Jul 22, 2021
33
2
8
23
just to be clear, are you connecting from a VM? or is this a regular machine running ubuntu, in the same network?

* can you ping the server IP from another machine?

* traceroute your.pve.ip.here

* iptables-save

please post the outputs
I am trying to SSH from Ubuntu 20.04(laptop) to Proxmox PVE Node shell(Not a VM).

Here are the Outputs(all three commands ran on regular ubuntu 20.04 machine) :
Code:
$ ping 202.xx.xxx.0
PING 202.xx.xxx.0 (202.xx.xxx.0) 56(84) bytes of data.
64 bytes from 202.xx.xxx.0: icmp_seq=1 ttl=238 time=32.5 ms
64 bytes from 202.xx.xxx.0: icmp_seq=2 ttl=238 time=31.6 ms
64 bytes from 202.xx.xxx.0: icmp_seq=3 ttl=238 time=33.2 ms
--- 202.xx.xxx.0 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7012ms
rtt min/avg/max/mdev = 30.727/31.939/33.212/0.761 ms

---------------------------------------------------------------------------------------------------------------------------

$ traceroute 202.xx.xxx.0
 1  reliance.reliance (192.xxx.xx.1)  1.225 ms  1.116 ms  1.478 ms
 2  10.1.112.1 (10.1.112.1)  3.533 ms  3.494 ms  3.863 ms
:
:
:
:
29  * * *
30  * * *

------------------------------------------------------------------------------------------------------------------------------

$ iptables-save
# Generated by iptables-save v1.8.4 on Thu Aug 12 18:16:26 2021
*filter
:INPUT ACCEPT [273125:94671855]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [305380:52800752]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Thu Aug 12 18:16:26 2021
# Generated by iptables-save v1.8.4 on Thu Aug 12 18:16:26 2021
*nat
:PREROUTING ACCEPT [1298:157707]
:INPUT ACCEPT [534:32268]
:OUTPUT ACCEPT [34946:2677776]
:POSTROUTING ACCEPT [34946:2677776]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Thu Aug 12 18:16:26 2021
 
Hang on a minute here. Am I daft or does it appear that your PVE node is over a WAN connection?

Earlier your posts indicate that it is a LAN (192.168.10.2) host but later in your last post, it appears that you are tracerouting and pinging 202.x.x.x which is a public IP. So which is it? If it's a public IP behind a NAT, ensure that it is being forwarded a port to SSH from, or if it's a dedicated public IP, ensure that there are no router ACLs in front of it. But, if your node is local, then can you redo those last two commands locally please? Gets confusing when your output is not consistent.

Thanks,

Tmanok
 
Jul 22, 2021
33
2
8
23
Hang on a minute here. Am I daft or does it appear that your PVE node is over a WAN connection?

Earlier your posts indicate that it is a LAN (192.168.10.2) host but later in your last post, it appears that you are tracerouting and pinging 202.x.x.x which is a public IP. So which is it? If it's a public IP behind a NAT, ensure that it is being forwarded a port to SSH from, or if it's a dedicated public IP, ensure that there are no router ACLs in front of it. But, if your node is local, then can you redo those last two commands locally please? Gets confusing when your output is not consistent.

Thanks,

Tmanok
192.168.10.2 -> Internal IP
202.x.x.x ->External IP(public)
I have tried sshing using both IP's Nothing worked. and I have also tried all the above-mentioned commands with both commands. Nither of them did not work.
 
Last edited:
192.168.10.2 -> Internal IP
202.x.x.x ->External IP(public)
I have tried sshing using both IP's Nothing worked. and I have also tried all the above-mentioned commands with both commands. Nither of them did not work.
Ok thank you for clarifying, but for the sake of consistency, it's best to try these commands on the same network.

  • On your client, are you able to SSH to other LAN hosts? (say a VM or another laptop for example).
  • If you are unable to SSH into other machines or VMs, consider using a different client.
  • If you are able to SSH into other hosts on the network but cannot SSH into your PVE node, consider disconnecting the network to your node and patching a cable directly into your laptop. If anything (including the switch) is between you and your server, there is a chance that it may be interfering with the connection.
  • If after patching directly into the server, there is no connection to SSH, reinstall PVE. Honestly at that point something has been done to the software, there has never been a stable release of Proxmox or Debian that I've ever see that did not accept SSH connections properly without a network issue being the cause.
Standard tests that I would perform:
  • Ping the device
  • Verify client and server firewalls or temporarily disable them
  • Verify that the network configuration on both devices is correct and the same (same gateway, same DNS, same subnetmask)
  • Restarting the SSHD service
    Code:
    systemctl restart sshd
  • Making sure that the ssh service is not reporting errors in it's status log
    Code:
    systemctl status sshd
  • Making sure that /etc/ssh/sshd_config is set to allow root login if you're trying to ssh with root
    Code:
    PermitRootLogin yes
    Code:
    PermitRootLogin prohibit-password
  • Verifying that you can reach the port, perhaps this time trying another software:
    Code:
    nmap -Pn 192.168.10.2 -p 22
    from your laptop.
  • Removing all network devices between the client and the server
  • Rebooting the server
There's nothing else off the top of my head that I can think to check Venkat, best of luck :)
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!