(Solved) Unable to ssh after the yuno update


After the yuno update I can not ssh on the internet but it work on the local network .

ssh -vv  root@datamol.in
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to datamol.in [] port 22.
debug1: connect to address port 22: Connection timed out
ssh: connect to host datamol.in port 22: Connection timed out

anybody with the solution?

I have asked the ISP for the and they say port 22 is not blocked . I have replaced the modem and checked the the port ,still its blocked on Internet.

So there is definitely a problem in the server.
All other port are working fine.

somebody have any idea why there is sudden packets drop on port 22 after the update?

Did you upgraded to Jessie ?
Check SSH config file (/etc/ssh/sshd_config) and verify that root is allowed to connect (PermitRootLogin without-password or PermitRootLogin yes).
You can test if the port 22 is blocked by trying to access your SSH server using telnet :

$ telnet datamol.in 22

If you got a response

$ telnet matlink.fr 22
Connected to matlink.fr.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.7p1 Debian-5

then your SSH server is accessible.

#Package generated configuration file                                                                                                
# See the sshd_config(5) manpage for details                                                                                          
# What ports, IPs and protocols we listen for                                                                                         
Port 22                                                                                                                               
# Use these options to restrict which interfaces/protocols sshd will bind to                                                          
ListenAddress ::                                                                                                                      
Protocol 2                                                                                                                            
# HostKeys for protocol version 2                                                                                                     
HostKey /etc/ssh/ssh_host_rsa_key                                                                                                     
HostKey /etc/ssh/ssh_host_dsa_key                                                                                                     
HostKey /etc/ssh/ssh_host_ecdsa_key                                                                                                   
#Privilege Separation is turned on for security                                                                                       
UsePrivilegeSeparation yes                                                                                                            
# Lifetime and size of ephemeral version 1 server key                                                                                 
KeyRegenerationInterval 3600                                                                                                          
ServerKeyBits 768                                                                                                                     
# Logging                                                                                                                             
SyslogFacility AUTH                                                                                                                   
LogLevel INFO                                                                                                                         
# Authentication:                                                                                                                     
LoginGraceTime 120                                                                                                                    
PermitRootLogin yes                                                                                                                   
StrictModes yes  

RSAAuthentication yes
PubkeyAuthentication yes                                                                                                              
#AuthorizedKeysFile     %h/.ssh/authorized_keys                                                                                       
# Don't read the user's ~/.rhosts and ~/.shosts files                                                                                 
IgnoreRhosts yes                                                                                                                      
# For this to work you will also need host keys in /etc/ssh_known_hosts                                                               
RhostsRSAAuthentication no                                                                                                            
# similar for protocol version 2                                                                                                      
HostbasedAuthentication no                                                                                                            
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication                                                         
#IgnoreUserKnownHosts yes                                                                                                             
# To enable empty passwords, change to yes (NOT RECOMMENDED)                                                                          
PermitEmptyPasswords no 

# Change to yes to enable challenge-response passwords (beware issues with                                                            
# some PAM modules and threads)                                                                                                       
ChallengeResponseAuthentication no                                                                                                    
# Change to no to disable tunnelled clear text passwords                                                                              
#PasswordAuthentication yes                                                                                                           
# Kerberos options                                                                                                                    
#KerberosAuthentication no                                                                                                            
#KerberosGetAFSToken no                                                                                                               
#KerberosOrLocalPasswd yes                                                                                                            
#KerberosTicketCleanup yes                                                                                                            
# GSSAPI options
#GSSAPIAuthentication no                                                                                                              
#GSSAPICleanupCredentials yes                                                                                                         
X11Forwarding yes                                                                                                                     
X11DisplayOffset 10                                                                                                                   
PrintMotd no                                                                                                                          
PrintLastLog yes                                                                                                                      
TCPKeepAlive yes                                                                                                                      
#UseLogin no                                                                                                                          
#MaxStartups 10:30:60                                                                                                                 
Banner /etc/issue.net                                                                                                                 
# Allow client to pass locale environment variables                                                                                   
AcceptEnv LANG LC_* 

Subsystem sftp /usr/lib/openssh/sftp-server                                                                                           
# Subsystem sftp internal-sftp                                                                                                        
# Set this to 'yes' to enable PAM authentication, account processing,                                                                 
# and session processing. If this is enabled, PAM authentication will                                                                 
# be allowed through the ChallengeResponseAuthentication and                                                                          
# PasswordAuthentication.  Depending on your PAM configuration,                                                                       
# PAM authentication via ChallengeResponseAuthentication may bypass                                                                   
# the setting of "PermitRootLogin without-password".                                                                                  
# If you just want the PAM account and session checks to run without                                                                  
# PAM authentication, then enable this but set PasswordAuthentication                                                                 
# and ChallengeResponseAuthentication to 'no'.                                                                                        
UsePAM yes

Is your ssh-server listening ? What are the response for :

service ssh status 


netstat -plnt | grep 22
service ssh status
[ ok ] sshd is running.

netstat -plnt | grep 22
tcp        0      0    *               LISTEN      3453/sshd                                             tcp        0      0  *               LISTEN      2487/lua5.1                                           tcp6       0      0 :::22                   :::*                    LISTEN      3453/sshd                                             tcp6       0      0 :::5222                 :::*                    LISTEN      2487/lua5.1


During the nginx’s upgrade, it disable ssh and root login for security reasons.

You have to connect to your server https://your.server.tld/yunohost/admin/#/login and check in Services if ssh is still enable.

For me, i had to shutdown my server, plug screen and keyboard and reboot for log me in.
Then i’ve edited /etc/ssh/sshd_config in order to put root login at yes and verify the listening port because i’ve changed the default port 22.

Otherwise, you can shutdown your server, boot with a live-cd to edit /etc/ssh/sshd_config

nano /etc/ssh/sshd_config

and do Ctrl+o to save change then Ctrl+x to quit

service ssh restart

Hope it could help


Durant la mise à jour de nginx, par sécurité, la connexion ssh et root login sont désactivées.

Il faut se connecter au serveur https://votre.serveur.ndd/yunohost/admin/#/login et vérifier que le service ssh tourne bien.

J’ai du arrêter mon serveur, brancher un écran et un clavier et redémarrer pour me logger.
Ensuite, il faut éditer le fichier /etc/ssh/sshd_config afin de mettre root login à yes et vérifier le port d’écoute (j’ai changé le port 22 par un autre lors suite à l’installation).

Sinon, il y a aussi la solution d’arrêter le serveur et de démarrer sur un live-cd pour éditer le fichier /etc/ssh/sshd_config

nano /etc/ssh/sshd_config

et faire Ctrl+o pour enregistrer les changements puis Ctrl+x pour quitter et redémarrer le service ssh

service ssh restart

J’espère que ça peut aider.

I have solved the problem by changing

Subsystem sftp /usr/lib/openssh/sftp-server


Subsystem sftp internal-sftp 

in nano /etc/ssh/sshd_config

As advised by @kload on the chat room, I checked /etc/ssh/sshd_config against https://github.com/YunoHost/packages/blob/master/yunohost-config-others/config/others/sshd_config3

Now I can ssh from remote location

@ppr @kload @matlink