ssh problems

[Thomas W Cotter]

I am trying to install Adguard home on a Rasperry pi 4. No problems with installing the operating system on to a micro sd card. Changed some of the settings from the default. Set a username and password enabled ssh with password authentication.Also set a static ip address for the raspberry pi
When I connect the raspberry pi using the hostname and the static ip address I am getting the port 22 connection refused.
Now I have tried everything that is in my capabilities (not a whole lot) and nothing has worked.
Here is a list:
Opened up firewall for short time
Flushed and changed ssh keys
Reflashed micro card numerous times
Set router to factory settings
Checked ssh was active and enabled, it was
Pinged the ip address and that was working fine
Changed ssh settings on Pi imager to allow public key authentication and pasted in my public key in
Checked that port 22 was open using terminal and it said it was listening.
Switched ethernet cables
Rebooted computer and Pi many times
Updated and upgraded my linux machine (Zorin)

Did other things but I thought I was pretty complete but obviously not.

Frustrated and looking for answers. Any other info you need please ask.

cotts135

 

[dos2unix]

is sshd service running?
are you ssh'ing as root? or another user?
is root login enabled in sshd_config?
is ssh enabled in firewall?
can you ping the remote system?

what is output of ssh [email protected] -v

 

[Thomas W Cotter]

Well thxs for you reply.
ssh is running. command: (service --status-all) not seeing sshd
Not using root to gain access. Using the user that I designated in the Pi imager [email protected]
Gained root access, then still got the Port 22 access denied

Pinging the remote system is fine, No blockage there
oot@tom-B650M-Pro-RS:~# ping xxx.xxx.xxx.xxx.
PING 192.168.0.106 (192.168.0.106) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxxx_seq=1 ttl=64 time=0.219 ms
64 bytes from xxx.xxx.xxx..xx: icmp_seq=2 ttl=64 time=0.205 ms
64 bytes from xxx.xxx.xxx.xxx.: icmp_seq=3 ttl=64 time=0.178 ms
64 bytes from xxx.xxx.xxx.xxx.: icmp_seq=4 ttl=64 time=0.161 ms
^C
--- xxx.xxx.xxx.xxx.ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3067ms
rtt min/avg/max/mdev = 0.161/0.190/0.219/0.022

Is ssh enabled in firewall:
root@tom-B650M-Pro-RS:~# ufw app list
Available applications:
Bind9
CUPS
OpenSSH
syncthing
syncthing-gui
zorin-connect

Again not the best with linux, kinda just starting, but I certainly appreciate the help

 

[dos2unix]

output of

systemctl status -l sshd

 

[Thomas W Cotter]

Ooh sorry
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: enab>
Active: active (running) since Tue 2025-11-25 15:07:44 EST; 1h 47min ago
TriggeredBy: ● ssh.socket
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1379 (sshd)
Tasks: 1 (limit: 37141)
Memory: 2.2M (peak: 2.5M)
CPU: 14ms
CGroup: /system.slice/ssh.service
└─1379 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Nov 25 15:07:44 tom-B650M-Pro-RS systemd[1]: Starting ssh.service - OpenBSD Sec>
Nov 25 15:07:44 tom-B650M-Pro-RS sshd[1379]: Server listening on 0.0.0.0 port 2>
Nov 25 15:07:44 tom-B650M-Pro-RS sshd[1379]: Server listening on :: port 22.
Nov 25 15:07:44 tom-B650M-Pro-RS systemd[1]: Started ssh.service - OpenBSD Secu>
lines 1-17/17 (END)

 

[Trml]

The service output looks normal. Try to ssh login and check the service output again, it should show the login attempt and probably won't.

Please check the output of sudo ufw status verbose whether incoming ssh is allowed.

How did you configure the image to flash? Did you use the RaspPI imager to customise settings like the static IP and to enable ssh, or flash an image and configure it manually?

 

[CaffeineAddict]

When I connect the raspberry pi using the hostname and the static ip address I am getting the port 22 connection refused.

Server listening on 0.0.0.0 port 2

The server is listening on wrong port.
It should listen on port 22 not 2

 

[Thomas W Cotter]

ERROR: Invalid syntax

Usage: ufw COMMAND

Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE|NUM delete RULE
insert NUM RULE insert RULE at NUM
prepend RULE prepend RULE
route RULE add route RULE
route delete RULE|NUM delete route RULE
route insert NUM RULE insert route RULE at NUM
reload reload firewall
reset reset firewall
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information

Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set default application policy

root@tom-B650M-Pro-RS:~#

Ran the command that's what you see above.

Did you use the RaspPI imager to customise settings like the static IP and to enable ssh, or flash an image and configure it manually?

ran the imager to customize the settings such as : Choosing device: (Rasperrypi4)
operating system: (Rasperry pi Os lite 32 bit)

Never was asked about a static Ip
and there was nothing about flashing to configure manually.


There was nothing about the imager that wanted anything you just asked

 

[f33dm3bits]

The server is listening on wrong port.
It should listen on port 22 not 2

Because of this it would be useful to see the sshd config as @dos2unix mentioned earlier, the configured ssh port should be listed there too.

is root login enabled in sshd_config?

grep -i port /etc/ssh/sshd_config

 

[CaffeineAddict]

as @dos2unix mentioned earlier

This is so common phenomenon on forums, when you ask multiple questions or outputs you get only a portion of them in response in like 99% of cases.

 

[Trml]

ran the imager to customize the settings such as : Choosing device: (Rasperrypi4)
operating system: (Rasperry pi Os lite 32 bit)

A PI4 can use 64bit. The "advanced" settings tab contain the IP and ssh settings, https://www.raspberrypi.com/documentation/computers/getting-started.html#raspberry-pi-imager

You did not run this:

Please check the output of sudo ufw status verbose whether incoming ssh is allowed.

 

[Thomas W Cotter]

root@tom-B650M-Pro-RS:~# grep -i port /etc/ssh/sshd_config
# configuration must be re-generated after changing Port, AddressFamily, or
# Port 22
#GatewayPorts no

root@tom-B650M-Pro-RS:~# sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)

root@tom-B650M-Pro-RS:~# ssh [email protected] -v
OpenSSH_9.6p1 Ubuntu-3ubuntu13.14, OpenSSL 3.0.13 30 Jan 2024
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 192.168.0.106 [192.168.0.106] port 22.
debug1: connect to address 192.168.0.106 port 22: Connection refused
ssh: connect to host 192.168.0.106 port 22: Connection refused

Here are some more outputs of the commands that you have requested. Hope it helps. Thxs for all your time

 

[Gerb]

The server is listening on wrong port.
It should listen on port 22 not 2

Obviously the line in his output in #5 is shortened, next line mentioned port # 22.
@Thomas: all the output you showed is from pi? Especially the message about the running sshd? You are trying to connect from a Windows or Linux PC? Plese like asked in #2 give the output from:
ssh [email protected] -v

 

[Trml]

@Gerb Yes, port 2> is truncated, next line shows it is set to 22. The user pi is the default sudo user on raspberry Pi OS, which has root disabled per default. That output is ok.

@Thomas W Cotter The ufw output is normal too. Unless you have changed something essential in the raspberry /etc/ssh/sshd_config I am at a loss why it does not work.

Best you post log output from the PI after you did a connection attempt. To do that, execute sudo journalctl -f on the Pi and then proceed to try to ssh connect. You should see the incoming connection. Let's see what it says.

 

[Thomas W Cotter]

Gerb I am using linux zorin and using a headless installation into the pi after flashing the drive with the Raspberry pi imager.Here is the output when I try to access The pi.
root@tom-B650M-Pro-RS:~# ssh [email protected] -v
OpenSSH_9.6p1 Ubuntu-3ubuntu13.14, OpenSSL 3.0.13 30 Jan 2024
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 192.168.0.106 [192.168.0.106] port 22.
debug1: connect to address 192.168.0.106 port 22: Connection refused
ssh: connect to host 192.168.0.106 port 22: Connection refused


Trml
root@tom-B650M-Pro-RS:~# ssh [email protected]
ssh: connect to host 192.168.0.106 port 22: Connection refused.
The output of the sudo journalctl -f is in the attachment. I am not sure that's exactly what you wanted since I can't get into the pi.
Here is the sshd_config file

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

# When systemd socket activation is used (the default), the socket
# configuration must be re-generated after changing Port, AddressFamily, or
# ListenAddress.
#
# For changes to take effect, run:
#
# systemctl daemon-reload
# systemctl restart ssh.socket
#
# Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

Hope it helps

 

[Trml]

I don't see anything wrong with the config at first sight.

The output of the sudo journalctl -f is in the attachment. I am not sure that's exactly what you wanted since I can't get into the pi.

The one you attached is from your desktop. I was asking for the same output on the PI. We need to see if the connection attempt arrives and what refuses it. I understand the PI is headless, but the desktop journal does not help for that.

if you only have one monitor, it is feasible to look and save the log after you connect it. You can filter the journal for ssh, e.g. sudo journalctl -b -u ssh , to look for the connection attempts.

 

[CaffeineAddict]

I can't get into the pi.
Here is the sshd_config file

sshd_config from pi is what needs to be configured if pi is server, not the same file on your computer from which you establish connection to pi.

Connection refused

Means authentication issue. the server is not listening or port is closed.

The center of attention, including journal and firewall should be pi, not your computer.
configuration needs to be done there within sshd_config, and then service restarted to apply changes.

 

[Thomas W Cotter]

Trml, and CaffeineAddict thanks for the help. I do have only one monitor and I am confused on exactly how to do what you asked. I do have access to all the files on the pi I will attach a copy of the sshd_config file from the pi. If there are any other files you need from the pi will post them.

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to "no" here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to "yes" to enable keyboard-interactive authentication. Depending on
# the system's configuration, this may involve passwords, challenge-response,
# one-time passwords or some combination of these and other methods.
# Beware issues with some PAM modules and threads.
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale and color environment variables
AcceptEnv LANG LC_* COLORTERM NO_COLOR

# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

 

[CaffeineAddict]

When I connect the raspberry pi using the hostname and the static ip

You connect to pi with username not with NETBIOS name, username that exists on pi and is either root or in sudo group.
Therefore if user account name on pi is "user" then you ssh to it with:

ssh [email protected]

Replace "user" with user account name from pi.

---

When you're done with ssh connect attempt above...

on pi (not on your computer run):

sudo systemctl status sshd

What's the output?

 

[deb_user]

With only one user you don't need user@ipaddress, you can use just the hostname. For instance, just "ssh pi", assuming that's the hostname. That's how I do it daily. Or you can use just the ip address, no need or user@. If there are more users on the system, then you may need to specify the user you want to be.