To enable SSH on Ubuntu Linux, confirm the OpenSSH server package is present, start the packaged SSH listener, allow the port through any active firewall, and test a real login before depending on remote access. Ubuntu 26.04 and 24.04 use ssh.socket as the listener path, while Ubuntu 22.04 uses the persistent ssh.service daemon path.
Use this workflow when Ubuntu already has OpenSSH available, or when you only need a quick package check before enabling inbound access. For the full package installation, removal, host-key cleanup, and hardening workflow, use the separate guide to install SSH on Ubuntu.
Enable SSH on Ubuntu
The safest enablement path is to check whether openssh-server is installed, then enable the unit that owns SSH startup on your Ubuntu release.
| Ubuntu release | Primary listener unit | What to enable | Primary check |
|---|---|---|---|
| Ubuntu 26.04 and 24.04 | ssh.socket | The socket listener | Socket active and enabled |
| Ubuntu 22.04 | ssh.service | The SSH service | Service active and enabled |
Check Whether OpenSSH Server Is Installed
Check the server package first. The install ok installed status means the package is installed and configured:
dpkg-query -W -f='${Status} ${Package}\n' openssh-serverA configured install prints:
install ok installed openssh-server
If dpkg-query reports that no package is found, install the server package from Ubuntu’s default repositories before enabling SSH:
sudo apt update
sudo apt install -y openssh-serverIf your account cannot run
sudo, add a sudo-capable administrator first or use a local root session. The Ubuntu sudoers guide covers that setup.
Enable SSH on Ubuntu 26.04 and 24.04
Enable and start the SSH socket on Ubuntu 26.04 and 24.04. The socket listens on port 22 and starts ssh.service when a connection arrives or when active SSH sessions exist:
sudo systemctl enable --now ssh.socketConfirm both the runtime state and boot setting:
systemctl is-active ssh.socket
systemctl is-enabled ssh.socketactive enabled
On Ubuntu 24.04, ssh.service may also show as enabled on some systems. Use ssh.socket for the listener check because it shows whether new inbound SSH connections can reach the system.
Enable SSH on Ubuntu 22.04
Ubuntu 22.04 uses the traditional service path, so enable and start ssh.service directly:
sudo systemctl enable --now sshCheck that the service is running now and enabled for the next boot:
systemctl is-active ssh
systemctl is-enabled sshactive enabled
Verify SSH Is Listening on Ubuntu
After enabling SSH, verify the systemd unit and the network listener. This catches the common case where a package exists but no process or socket is accepting inbound connections.
Check SSH Status on Ubuntu 26.04 and 24.04
Check the socket status on Ubuntu 26.04 and 24.04:
sudo systemctl status ssh.socket --no-pagerRelevant output includes:
ssh.socket - OpenBSD Secure Shell server socket
Loaded: loaded (/usr/lib/systemd/system/ssh.socket; enabled; preset: enabled)
Active: active (running)
Triggers: ssh.service
Listen: 0.0.0.0:22 (Stream)
[::]:22 (Stream)
The status line can render as active (running) or active (listening) depending on the systemd view. Treat the active socket plus the Listen lines as the proof.
Check SSH Status on Ubuntu 22.04
Check the service status on Ubuntu 22.04:
sudo systemctl status ssh --no-pagerRelevant output includes:
ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running)
Confirm SSH Port 22 Is Listening
Confirm the listener from the networking side:
ss -H -ltn 'sport = :22' | awk '{print $1, $4}'Relevant output shows listener rows for IPv4 and IPv6. The queue sizes, process names, and PIDs can vary, so the useful parts are the LISTEN state and local address:
LISTEN 0.0.0.0:22 LISTEN [::]:22
If you changed the SSH port, replace :22 with your configured port before checking the listener.
Find the Ubuntu System IP Address
Find the IPv4 address other machines on the same network should use:
ip -4 -brief address show scope globalA typical private-network address looks like this:
enp0s3 UP 192.168.1.50/24
Use the address without the CIDR suffix when connecting, for example 192.168.1.50. If the address changes often on a home or lab network, consider assigning a router reservation or following the Ubuntu static IP address guide.
Allow SSH Through UFW on Ubuntu
UFW is often installed but inactive on Ubuntu. If UFW is active, or if you plan to enable it, allow SSH before turning on a default deny incoming policy.
Inspect the packaged OpenSSH application profile:
sudo ufw app info OpenSSHProfile: OpenSSH Title: Secure shell server, an rshd replacement Description: OpenSSH is a free implementation of the Secure Shell protocol. Port: 22/tcp
If this machine only needs normal LAN or admin access, allow the default SSH profile:
sudo ufw allow OpenSSHFor a public server, skip the broad profile rule and use a source-limited rule instead. Replace 203.0.113.10 with the trusted client IP that should be allowed to connect:
sudo ufw allow from 203.0.113.10 to any port 22 proto tcpCheck the firewall state after adding the rule:
sudo ufw status numberedIf UFW is inactive, the rule is stored but not enforced until UFW is enabled. If ufw is missing or you need default policies, rate limiting, rule deletion, logging, and complex allow or deny rules, use the Ubuntu UFW firewall guide. Public hosts that receive repeated authentication attempts can add Fail2ban on Ubuntu after SSH access is working.
Cloud servers can have a provider firewall, security group, router NAT rule, or hosting panel outside Ubuntu. UFW can allow the port locally while an upstream control plane still blocks the connection.
Connect to Ubuntu Over SSH
Once SSH is active and the firewall path is open, connect from another Linux, macOS, or Windows terminal with the remote username and IP address:
ssh username@192.168.1.50Replace username with an account on the Ubuntu system. On the first connection, verify the host-key fingerprint prompt before accepting it. If you are connecting across the internet, use a DNS name, VPN address, public IP, or port-forwarded address that actually reaches the Ubuntu machine.
Use SSH Keys for Regular Access
Password login can work for initial setup, but regular access should use SSH keys. Generate an Ed25519 key on the client machine if you do not already have one:
ssh-keygen -t ed25519Copy the public key to the Ubuntu account:
ssh-copy-id username@192.168.1.50ssh-copy-id is common on Linux and macOS clients. If your Windows OpenSSH client does not include it, sign in once with a password or console session and append the public key to ~/.ssh/authorized_keys on the Ubuntu account.
Test the key login before changing authentication settings. For broader client options, port forwarding, jump hosts, and file-transfer examples, use the SSH command guide for Linux.
Connect to a Custom SSH Port
If the Ubuntu server listens on a custom SSH port, specify it with lowercase -p in the SSH client:
ssh -p 2222 username@192.168.1.50The server must already have a matching Port directive, a restarted SSH listener, and an allowed firewall rule for that TCP port. Do not close port 22 until the new port works from a second terminal or another trusted machine.
If UFW is active, allow the custom port before removing access to the default SSH port. Replace 203.0.113.10 with the trusted client IP:
sudo ufw allow from 203.0.113.10 to any port 2222 proto tcpManage SSH After It Is Enabled
Service management depends on the Ubuntu release and on whether you are changing listener settings or normal authentication settings.
Restart SSH After Configuration Changes
Test SSH configuration syntax before restarting anything:
sudo sshd -tA valid configuration returns no output. After authentication-only changes, such as PasswordAuthentication, PermitRootLogin, AllowUsers, or MaxAuthTries, restart the service:
sudo systemctl restart sshAfter listener changes, such as Port or ListenAddress, reload systemd and restart the socket on Ubuntu 26.04 and 24.04:
sudo sshd -t
sudo systemctl daemon-reload
sudo systemctl restart ssh.socketOn Ubuntu 22.04, restart the service after the syntax check:
sudo sshd -t
sudo systemctl restart sshUbuntu’s OpenSSH documentation recommends configuration snippets under /etc/ssh/sshd_config.d/ so local changes stay separate from package defaults. The Ubuntu OpenSSH server documentation and OpenSSH sshd_config manual cover the available directives.
Disable SSH on Ubuntu
Disable SSH only from local console access, a provider recovery console, or another confirmed management path. If SSH is your only route into the machine, disabling it can lock you out immediately.
On Ubuntu 26.04 and 24.04, stop and disable the SSH socket:
sudo systemctl disable --now ssh.socketOn Ubuntu 22.04, stop and disable the SSH service:
sudo systemctl disable --now sshIf you only need to turn off firewall access while leaving SSH installed, remove or deny the UFW rule instead of disabling the service. The Ubuntu firewall enable and disable guide covers that workflow.
Troubleshoot SSH on Ubuntu
Troubleshoot SSH in layers: package, systemd unit, local listener, firewall path, network route, then authentication. That order keeps you from changing keys or configuration when the daemon simply is not listening.
ssh.service Looks Inactive on Ubuntu 26.04 or 24.04
If ssh.service appears inactive on Ubuntu 26.04 or 24.04, check the socket before treating SSH as disabled:
systemctl is-active ssh.socket
systemctl is-enabled ssh.socketactive enabled
Socket-activated SSH can leave ssh.service inactive before any connection starts the daemon, or active while current SSH sessions are connected. The listener state comes from ssh.socket.
Fix SSH Connection Refused
A refused connection means the target answered but nothing accepted SSH on that port:
ssh: connect to host 192.168.1.50 port 22: Connection refused
On the Ubuntu server, confirm that SSH is listening on the expected port:
ss -H -ltn 'sport = :22' | awk '{print $1, $4}'If no listener appears, enable the correct unit for your Ubuntu release. If the listener exists, confirm the client is using the right IP address and port.
Fix SSH Connection Timed Out
A timeout usually points to a firewall, router, cloud security group, VPN route, wrong public IP, or missing port-forward rule. Confirm local UFW first:
sudo ufw status numberedIf UFW allows SSH and the local listener is active, inspect the upstream network layer. For home networks, that means router port forwarding and the current public IP. For cloud servers, check the provider firewall or security group before changing Ubuntu configuration.
Fix Permission Denied Publickey
A rejected key login can end with this message:
username@192.168.1.50: Permission denied (publickey).
On the client, confirm the private key is restricted enough for SSH to use it:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pubOn the Ubuntu server account, confirm the public key exists in ~/.ssh/authorized_keys and that the file is writable only by that account:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keysThe chmod command guide is useful when you need to decode owner, group, and world bits before changing key permissions.
Fix Bad SSH Configuration Syntax
Run the syntax check after every sshd_config or snippet edit:
sudo sshd -tIf the command names a bad directive or line number, fix that file before restarting SSH. A valid configuration returns no output, which is your cue that restarting the service or socket is safe.
Conclusion
SSH is enabled on Ubuntu once the correct socket or service is active, port 22 is listening, firewall access is allowed where needed, and a real client login succeeds. Keep one tested access path open before changing ports or authentication settings, then move routine access to SSH keys and tighter firewall rules.
Formatting tips for your comment
You can use basic HTML to format your comment. Useful tags currently allowed in published comments:
<code>command</code>command<strong>bold</strong><em>italic</em><blockquote>quote</blockquote>