Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Is it possible to configure an sftp user for uploading and editing but NOT downloading files? Question Question
Set umask for another user Question Question

Question

cannot log into Ubuntu 16.04 server with ssh keys

Posted April 3, 2017 7.3k views
SecurityUbuntu 16.04

I have completed the tutorials for initial setup of the Ubuntu 16.04 server, LAMP, and Secure Apache with Let’s Encrypt. I was able to log in one time. After I lost my connection through bad wifi my terminal froze. I closed the terminal and could not log back in. 

ssh: connect to host hostname.org -p port: Connection timed out

I enabled a pass phrase, but it doesn’t ask it. What could be wrong?

Add a comment
technicallyblue
By:
technicallyblue

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Is it possible to configure an sftp user for uploading and editing but NOT downloading files? Question Question
Set umask for another user Question Question
Add a comment
1 comment
  • technicallyblue April 3, 2017
    Reply Report

    I haved logged into the server with the panel and reviewed the changes I made, but don’t know which setting could be causing the issue. The host name is givechildrenbooks.org, port is 5069.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
5 answers
Woet April 3, 2017

What is the hostname and port?

Reply Report
hansen April 3, 2017

You can access the server if you log into the control panel in DigitalOcean and use the Console.

It’s hard to say what went wrong, but my first guess would be either firewall or you changed the default port 22 of SSH.
Which tutorial did you use specifically? And did you do anything outside the scope of the tutorial?

Have you already changed your DNS to point to your server - otherwise continue to use the IP address.

Reply Report
  • technicallyblue April 3, 2017

    I’ve already changed the DNS. You can see the site, givechildrenbooks.org

    I followed everything save one option. When running ssh-keygen it asks:

    Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):

    Instead of going with the default I typed “books”. I didn’t see any indication that it saved that file name. The contents of the .ssh folder is idrsa, idrsa.pub, and known_hosts.

    Reply Report
    • hansen April 3, 2017

      This path /Users/localuser/.ssh/id_rsa looks like MacOS paths.
      But it shouldn’t have anything to do with SSH stops working.

      Can you insert the link to the tutorial you followed?

      Reply Report
hansen April 3, 2017

@technicallyblue
Make sure the file /etc/ssh/sshd_config has the line Port 5069 and reboot the server after the change.
It seems like you’ve added a firewall rule to block port 22 - at least that’s what I’m seeing when scanning your server:

22/tcp  closed ssh

Remember to click “Reply” under the post or use the @ sign to notify people - otherwise we might miss a message from you.

Reply Report
hansen April 3, 2017

@technicallyblue We’ve maxed out the other thread, so starting a new.
Sorry, run this again, because I specifically used to “numbered” to avoid getting the canonical names:

sudo ufw status numbered

And then run this:

sudo lsof -iTCP -sTCP:LISTEN -P
Reply Report
jtittle1 April 3, 2017

@technicallyblue

I would recommend simply shutting down the firewall service using Console and see if that allows you to log back in via SSH. You can do that by running:

ufw disable

If you’re able to login with ufw disabled, then your IP was most likely blocked. Normally, I recommend using actual ports over defined services when setting up ufw. Using actual ports seems to be far less problematic.

So if you’re able to login with ufw disabled, I’d now run a reset to wipe all existing rules.

ufw reset

You now have a clean slate from which to work from. So let’s rebuild.

We’ll start with default rules. We’ll deny all incoming and allow outgoing. These rules won’t matter as right now, ufw is disabled, so you shouldn’t get locked out when running them if you ran both of the commands above.

ufw default deny incoming

ufw default allow outgoing

Now we need to specify which ports to allow in. I always start with SSH since that’s the first thing I’ll be using and it’s the most important to start with.

Now, from the looks of it, you’re using another port – from what I’ve read, that’s 5069, though let’s confirm that to make sure so that you don’t end up getting locked out again.

Please run:

grep "Port" /etc/ssh/sshd_config

You’ll see a port echo'ed out to the screen that looks like Port ... where ... is the port. If that says 22, then we’ll use 22. If it says 5069, then use that.

So let’s allow SSH. As above, change 22 to the other port if that’s what’s showing in your SSH config.

ufw allow 22/tcp

Now since you’re using Apache and LetsEncrypt, we need to allow HTTP and HTTPS connections, and we can do that by allowing ports 80 and 443 through.

ufw allow 80/tcp

ufw allow 443/tcp

At this point, unless you need to allow additional ports through, we can go ahead and start ufw back up and let it resume.

ufw enable

You’ll get a warning that you may be kicked, but as long as you used the correct SSH port in the above command, you’ll be fine.

Hopefully that helps to get you back in :).

Reply Report
  • technicallyblue April 3, 2017

    This helped me narrow it down perfectly. Even though ssh was listening on 5069, I didn’t allow that port through the firewall. Would have been nice to get “denied” instead of “timed out”

    ufw allow 5069/tcp and ufw enable did the trick!

    Thanks for the help!

    Reply Report
    • jtittle1 April 3, 2017

      @technicallyblue

      No problem at all, happy to help :-).

      The reason you’re seeing a timeout is most likely due to not having default policies in place (as I noted at the top of my previous reply). If you do the reset and then follow the above, it should begin denying instead of just allowing a connection to sit idle and then timeout.

      That’s why I always recommend a reset first, then setting up the deny/allow first.

      Reply Report

Related

Looking for something else?

Ask a new question Search for more help