Atlas Docs

Can't SSH to a VM

Properties1
descriptionSSH times out, refuses, or asks for a password — work through the four common causes.

3 min read

Symptom

You launched a VM and got a public IP, but SSH does not work. Variants:

  • ssh: connect to host <ip> port 22: Operation timed out
  • ssh: connect to host <ip> port 22: Connection refused
  • The connection opens but asks for a password — Permission denied (publickey) or worse, Permission denied (publickey,password).

Investigation

The four common causes, in roughly decreasing frequency.

1. No port-forward rule for SSH

On Atlas, a public IP is not implicitly bound to a VM’s SSH port. You must explicitly forward public:22 → vm:22. Check:

cmk list portforwardingrules ipaddressid=<PUBLIC_IP_ID>

If no rule covers TCP port 22, create one:

cmk create portforwardingrule \
  ipaddressid=<PUBLIC_IP_ID> \
  protocol=tcp publicport=22 privateport=22 \
  virtualmachineid=<VM_ID>

2. No firewall rule allowing TCP 22

Even with a port-forward, the Public IP’s firewall has to allow inbound traffic on TCP 22:

cmk list firewallrules ipaddressid=<PUBLIC_IP_ID>

If no rule covers TCP 22 from 0.0.0.0/0 (or your CIDR), add one:

cmk create firewallrule \
  ipaddressid=<PUBLIC_IP_ID> \
  protocol=tcp startport=22 endport=22 \
  cidrlist=0.0.0.0/0

3. The wrong SSH key was injected at boot

If you launched the VM without a keypair argument, no SSH key was installed. The VM has no way to authenticate you — and Ubuntu/Debian templates disable password SSH by default. Confirm:

cmk list virtualmachines id=<VM_ID> filter=keypair

If keypair is empty, you have two options: destroy the VM and re-launch with keypair=mykey, or attach a user-data script on re-launch that injects your public key via cloud-init.

4. Using the wrong username

Atlas templates use the OS-default cloud-init user, not root:

  • Ubuntu: ubuntu@<public-ip>
  • Debian: debian@<public-ip>
  • AlmaLinux / RHEL: almalinux@<public-ip> or cloud-user@<public-ip>

If you’re using root, switch.

5. (less common) Inside-VPC ACL blocking it

If the VM lives in a VPC tier (not a Guest Network), the tier’s Network ACL applies in addition to the Public IP firewall. Check the ACL:

cmk list networkacls aclid=<TIER_ACL_ID>

Make sure inbound TCP 22 from your CIDR is allowed.

Solution

The fix is almost always one of:

  • Add a port-forwarding rule for TCP 22.
  • Add a firewall rule for TCP 22.
  • Re-launch the VM with the correct keypair.
  • Use the right username for your Template.

If you’ve done all four and SSH still fails, the Public IP may not be routing correctly. Verify the IP is associated to the right network:

cmk list publicipaddresses id=<PUBLIC_IP_ID> filter=state,associatednetworkid

state should be Allocated. If it’s Allocating or Releasing, wait. If it’s Allocated but associatednetworkid is the wrong network, disassociate and re-associate.

If everything checks out and SSH still doesn’t work, email mailto:help@runatlas.is with the instance UUID, the public IP, and the exact ssh -v output.

Backlinks