To connect to a VPS via SSH, you usually need four things:
- The server’s public IP address;
- A username;
- The SSH port;
- A password or private key.
The basic command is as follows: ssh user@SERVER_IP
For example: ssh [email protected]
If SSH is not running on the standard port 22, specify the port using -p: ssh -p 2222 user@SERVER_IP
To connect using a private key, use the -i option: ssh -i ~/.ssh/id_ed25519 user@SERVER_IP
The commands are almost the same in Windows Terminal, PowerShell, macOS Terminal, and Linux Terminal. PuTTY is configured through a graphical interface: the IP address is entered in the Host Name field, the port in the Port field, and the private key is added in the SSH authentication settings.
When you connect for the first time, the client will display the server’s fingerprint. This is the fingerprint of the VPS SSH key. Whenever possible, compare it with the information in the provider’s control panel, and only then confirm the connection.
If an error appears, its message usually indicates what to check:
| Error | What to check |
| Permission denied | The user, password, key, and allowed login method |
| Connection timed out | The IP address, port, firewall, and VPS availability |
| Connection refused | Whether SSH is running and listening on the specified port |
| Bad permissions | Permissions for the private key |
| Host key verification failed | The saved fingerprint and a possible server change |
For the first connection, it is best to use the details from the provider’s control panel without changing them. After logging in, you can create a separate user, add your SSH key, test a new session, and only then disable password-based login or root login.
What you need to connect via SSH

Server IP address
An IP address is the VPS network address that the SSH client uses to locate the server on the internet. Providers usually display it in the control panel immediately after the virtual machine is created.
A public IPv4 or IPv6 address is used for the connection, for example: 203.0.113.10
In the command, it is specified after the username: ssh [email protected]
If the IP address is entered incorrectly, the connection usually fails with a Connection timed out or No route to host error, or the client may try to connect to a different server.
Do not confuse the VPS IP address with the website address. You can point a domain to the VPS later and use it instead of the IP address, but for the initial connection it is more convenient to use the IP address from the provider’s control panel.
Username
The username determines which account is used to log in. It depends on the selected image and the provider’s settings.
The most common options are:
- root;
- ubuntu;
- debian;
- admin;
- a user created manually when ordering the VPS.
The username is specified before the @ symbol: ssh [email protected]
If the wrong user is selected, the server may be reachable, but authentication will fail with Permission denied.
The required username is usually provided in the email from the provider, in the control panel, or in the image documentation. After logging in as root for the first time, it is recommended to create a separate user with sudo privileges.
SSH port
The port specifies which network port the server listens on for SSH connections. The default value is 22.
If the standard port is used, you do not need to specify it separately: ssh [email protected]
For a non-standard port, use the -p option: ssh -p 2222 [email protected]
It is important to use a lowercase p. In some other utilities, the uppercase -P option means something else and is not valid for the regular ssh command.
The port number must match in several places: the SSH server configuration, the firewall rules, and the connection command. If even one of these uses a different value, the connection will not be established.
Password and private key
After the connection is established, the server must verify the user’s identity. This is usually done using a password or an SSH key.
A password is a regular secret combination set for an account. When you enter it in the terminal, the characters are not displayed; this is normal behavior, not a UI error.
A private key is the private part of an SSH key pair. It is stored only on the user’s computer and is used to verify access. You must not share a private key with other people or upload it to a server.
The public part of the key, by contrast, is placed on the VPS in the file: ~/.ssh/authorized_keys
To connect using a specific private key, use the command: ssh -i ~/.ssh/id_ed25519 [email protected]
On Windows, the path may look like this: ssh -i C:\Users\User\.ssh\id_ed25519 [email protected]
To connect to the server automatically without specifying the key in the command, start ssh-agent, if necessary load the key into memory using the ssh-add command, and then connect using the command ssh [email protected]
An SSH key is usually more secure than a password, especially if the private key is protected with an additional passphrase. However, it is important not to lose the key file and to set up a backup access method in advance through the provider’s control panel or console. An SSH key can be compared to a house key.
What Is a Fingerprint?
A fingerprint is a short digital fingerprint of the server’s public SSH key. It helps verify that the client is connecting to the intended VPS rather than an impersonated host.
On the first connection, SSH displays a message similar to the following: The authenticity of host cannot be established.
The fingerprint is displayed below, and you are prompted to confirm the connection. Whenever possible, compare it with the value shown in the provider’s control panel or the server console.
After confirmation, the fingerprint is saved on the computer in the known_hosts file. On subsequent connections, SSH compares the server key with the saved value.
If the fingerprint changes unexpectedly, the client displays a warning. This can happen after reinstalling the VPS, changing the server’s SSH keys, or transferring the IP address. However, the change may also indicate a spoofed connection, so the warning should not be ignored automatically.
Before deleting the old entry, make sure that the server has actually been reinstalled or changed. After that, the outdated fingerprint can be removed using the command: ssh-keygen -R 203.0.113.10
Once the IP address, username, port, and authentication method are known, you can proceed with connecting using Windows Terminal or PowerShell.
Connecting via Windows Terminal and PowerShell

Password login
In recent versions of Windows, the SSH client is already built into Windows Terminal and PowerShell, so a separate program is usually not required.
Open Windows Terminal or PowerShell and run the command: ssh user@SERVER_IP
For example: ssh [email protected]
On the first connection, the server fingerprint will be displayed. After verifying it, confirm it by entering: yes
The system will then prompt you for a password. Characters are not displayed as you type; this is normal terminal behavior.
If the credentials are correct, the remote server’s command prompt will open. The prompt usually shows which user is logged in and which VPS you are connected to.
If the ssh command is not recognized, check whether the OpenSSH Client component is installed in Windows Optional Features.
A password is suitable for temporary first-time access, but regular access is better configured to use an SSH key.
Logging in with an SSH key
If the key pair has not been created yet, you can generate it directly in PowerShell or Windows Terminal: ssh-keygen -t ed25519
By default, the private key is saved in the directory: C:\Users\User\
.ssh\id_ed25519
The public part is in the file: C:\Users\User\.ssh\id_ed25519.pub
The private key remains on your computer. The contents of the .pub file must be added to ~/.ssh/authorized_keys on the server.
After that, the connection is usually established using the standard command: ssh user@SERVER_IP
SSH will automatically check the standard key paths. If you need to specify a specific private key, use the -i option: ssh -i C:\Users\User\.ssh\id_ed25519 user@SERVER_IP
If the path contains spaces, enclose it in quotation marks: ssh -i "C:\Users\User Name\.ssh\server_key" user@SERVER_IP
The private key can be protected with a passphrase. In this case, SSH will prompt you for it when you connect. This is the password for the key file itself, not for the VPS account.
After successfully logging in with the key, you should open a second terminal window and try connecting again. Only after this check should you disable password authentication on the server.
To connect automatically with the key, you also need to start ssh-agent, which is available in Windows as a service.
Connecting through a non-standard port
If the SSH server accepts connections on a non-standard port other than 22, specify it using the -p option: ssh -p 2222 user@SERVER_IP
When using a private key, the parameters can be combined: ssh -p 2222 -i C:\Users\User.ssh\id_ed25519 user@SERVER_IP
The order of the parameters is not critical, but the port number must match the SSH server configuration and the firewall rule.
If the port is specified incorrectly, you will most often see Connection timed out or Connection refused. This does not necessarily mean the password is incorrect: the connection may not have reached the authentication stage at all.
To avoid entering a long command every time, you can save the parameters in the SSH config later. For the first connection, however, it is better to use the full command, because it makes it easier to verify the user, IP address, port, and path to the key separately.
Connecting via PuTTY

Password-based login
PuTTY is a fairly popular program for working with different types of terminal connections, including SSH, Telnet, and console connections. It was indispensable on older versions of Windows, and many people still prefer it to the “built-in” SSH client.
After you start PuTTY, the session configuration window opens. For a standard connection, you only need to fill in two fields:
- Host Name (or IP address) — the VPS IP address;
- Port — the SSH port, usually 22.
In the Connection type section, leave SSH selected, then click Open.
When connecting for the first time, PuTTY displays a warning about an unknown host key. This is the equivalent of fingerprint verification. If possible, compare the fingerprint with the provider’s information, then confirm that the server key should be saved.
Next, the following prompt will appear: login as:
Enter the username there, such as root or ubuntu. PuTTY will then prompt you for the password.
The password is not displayed while you type it. If authentication is successful, the VPS terminal opens.
If Access denied appears, check the username and password, and make sure password-based login is allowed on the server.
For regular use, it is safer to use an SSH key instead of a password.
Connecting using a private key
PuTTY traditionally uses private keys in .ppk format. If the key has already been created in OpenSSH format, you can import it with PuTTYgen and save it as a .ppk file.
To do this:
- Open PuTTYgen.
- Click Load.
- Select the existing private key.
- Enter the passphrase if required.
- Click Save private key.
After that, in PuTTY, go to: Connection → SSH → Auth → Credentials
In the Private key file for authentication field, select the saved .ppk file.
Next, return to the Session section, enter the IP address and port, and then click Open.
As with ssh-agent, you can use pageant, a utility included with PuTTY, to log in without specifying a key: start it and add the key to it. After that, you do not need to specify the key in PuTTY or plink (the included console utility).
If the public part of the key has not yet been added to the server, PuTTY will not be able to log in. It must be located in the file: ~/.ssh/authorized_keys
You must not send the private key to the provider or upload it to the VPS. Only the public key is added to the server.
Newer versions of PuTTY have improved support for OpenSSH formats, but .ppk remains the most predictable option for compatibility.
Configuring the user, port, and saved session
To avoid entering the parameters each time you launch the client, you can save the connection as a separate session.
First, specify the following in the Session section:
- IP address or domain name;
- SSH port;
- SSH connection type.
The username can be saved in: Connection → Data
In the Auto-login username field, specify the required account, for example: ubuntu
The private key is specified in: Connection → SSH → Auth → Credentials
After configuring the settings, return to Session, enter a descriptive name in the Saved Sessions field, and click Save.
For example: production-vps
Later, simply select the saved session and click Load, then Open.
Before saving, check four parameters:
| Parameter | What should be specified |
| Host Name | Public IP address or VPS domain |
| Port | 22 or the configured SSH port |
| Auto-login username | The actual server user |
| Private key | The required .ppk file |
If the session fails to connect, it is better to load it, recheck each parameter, and only then change the firewall or SSH server settings.
After PuTTY, you can move on to connecting from Terminal on macOS, which uses the same ssh command as Linux.
Connecting via Terminal on macOS

Logging in with a password
On macOS, the SSH client is already built into the Terminal application. You can open it via Spotlight or from Applications → Utilities.
The following command is used to connect: ssh user@SERVER_IP
For example: ssh [email protected]
On the first connection, Terminal will display the server fingerprint and ask you to confirm the connection. After verifying it, enter: yes
You will then be prompted for a password. Characters are not displayed as you type; this is normal terminal behavior.
If the credentials are correct, the VPS command prompt will open. A password is acceptable for the first login, but regular access should be switched to an SSH key.
SSH key login
If you do not have a key yet, you can create one directly in Terminal: ssh-keygen -t ed25519
By default, the private key is saved in the file: ~/.ssh/id_ed25519
The public part is in the file: ~/.ssh/id_ed25519.pub
The private key remains on the Mac, and the contents of the .pub file are added to the server at: ~/.ssh/authorized_keys
After that, the connection is usually made using the standard command: ssh user@SERVER_IP
If you need to explicitly specify a particular private key, use the -i option: ssh -i ~/.ssh/id_ed25519 user@SERVER_IP
For a custom file name, the command may look like this: ssh -i ~/.ssh/production_key user@SERVER_IP
If the private key is protected by a passphrase, Terminal will prompt you for it when you connect. This is the passphrase for the key file, not the password for the server account.
After a successful login, it is a good idea to test the connection again in a new Terminal window. Only then should you disable password authentication on the VPS.
Connecting Through a Non-Default Port
If SSH is not running on port 22, the port number is specified with the -p option: ssh -p 2222 user@SERVER_IP
When connecting with a private key, the parameters are combined: ssh -p 2222 -i ~/.ssh/id_ed25519 user@SERVER_IP
If the port is specified incorrectly, the connection usually fails with a Connection timed out or Connection refused error.
The port number must match the SSH server configuration and firewall rules. For the first connection, it is best to use the full command and then save the parameters in ~/.ssh/config so you do not have to enter them manually each time.
Connecting via the terminal in Linux

Logging in with a password
In most Linux distributions, the SSH client is already installed. To connect, open Terminal and run the command: ssh user@SERVER_IP
For example: ssh [email protected]
On the first connection, the server fingerprint will appear. After verifying it, confirm it by entering: yes
The system will then prompt you for the password. Characters are not displayed as you type; this is normal terminal behavior.
If the ssh command is not found, the client can be installed via the package manager. For Ubuntu and Debian: sudo apt install openssh-client
After a successful login, the command prompt of the remote VPS will open.
Logging in with an SSH key
If the SSH key has not been created yet, you can generate it with the command: ssh-keygen -t ed25519
By default, the private key is saved in the file: ~/.ssh/id_ed25519
The public part is in: ~/.ssh/id_ed25519.pub
The easiest way to copy the public key to the server is: ssh-copy-id user@SERVER_IP
After that, the standard command is usually sufficient to connect: ssh user@SERVER_IP
Important note: to connect without specifying the key explicitly, you also need to use ssh-agent. On Linux, it is running by default.
If you need to use a specific private key, specify it with -i: ssh -i ~/.ssh/id_ed25519 user@SERVER_IP
You can protect the private key by setting a passphrase. In this case, when you connect, SSH will prompt for the passphrase rather than the password for the VPS account.
If the client reports overly permissive permissions on the private key, restrict them: chmod 600 ~/.ssh/id_ed25519
For the .ssh directory, the following permissions are typically used: chmod 700 ~/.ssh
After successfully logging in with the key, you should test the connection again in a new Terminal window. Only after that should you disable password authentication on the server.
Checking and Saving Settings in SSH Config
To avoid specifying the IP address, user, port, and path to the key each time you connect, you can save the parameters in the file: ~/.ssh/config
If the file does not exist yet, you can create it with the command: nano ~/.ssh/config
Example configuration:
Host production
HostName 203.0.113.10
User ubuntu
Port 2222
IdentityFile ~/.ssh/id_ed25519
After saving, it is best to restrict the file permissions: chmod 600 ~/.ssh/config
Now you can use the shorter version instead of the full command: ssh production
The following command lets you check which SSH parameters will be applied to a specific host: ssh -G production
If the connection is not working, it is helpful to run the client in verbose mode: ssh -v production
For even more detailed output, use -vv or -vvv. The log will show which user was selected, which key is being used, which IP address and port it connects to, and at which stage the error occurs.
SSH config is especially useful when working with multiple VPS instances. You can assign a short name to each server and store its settings separately, without copying long commands from notes.
Example Connection Commands

Using a password
To connect using a password, use the basic command: ssh user@SERVER_IP
For example: ssh [email protected]
After the connection is established, SSH prompts for the user’s password. Characters are not displayed as you type.
The command itself does not include the password: passing it directly in the connection string is unnecessary and insecure.
Using an SSH key
If the private key is stored in the default path and is associated with the required user, the standard command is sufficient: ssh user@SERVER_IP
To explicitly specify the key file, use the -i option: ssh -i ~/.ssh/id_ed25519 user@SERVER_IP
Example for Windows: ssh -i C:\Users\User\.ssh\id_ed25519 [email protected]
The corresponding public key must be present on the server in the ~/.ssh/authorized_keys file.
Specifying a port
If SSH uses a non-standard port, specify it with lowercase -p: ssh -p 2222 user@SERVER_IP
For example: ssh -p 2222 [email protected]
If no port is specified, the client attempts to connect to the default port, 22.
If the port number is incorrect, the connection usually fails with a Connection timed out or Connection refused message before the password or key is checked.
Specifying a user and private key
The full command can include the user, IP address, port, and path to the key at the same time: ssh -p 2222 -i ~/.ssh/production_key [email protected]
Here:
- ssh — starts the SSH client;
- -p 2222 — specifies the server port;
- -i ~/.ssh/production_key — specifies the private key;
- ubuntu — the username;
- 203.0.113.10 — the public IP address of the VPS.
In Windows, the equivalent command is as follows: ssh -p 2222 -i C:\Users\User\.ssh\production_key [email protected]
If the path contains spaces, it must be enclosed in quotes: ssh -p 2222 -i "C:\Users\User Name.ssh\production key" [email protected]
For regular connections, it is more convenient to save all these parameters in the SSH config. However, when troubleshooting, the full command is more useful: it lets you explicitly verify the user, IP address, port, and specified key.
Next, we will go through common connection errors.
Common SSH Connection Errors

Permission denied
The Permission denied error means that the server is reachable, but it did not accept the selected authentication method.
The cause is most often one of the following:
- An incorrect username was specified;
- An incorrect password was entered;
- The wrong private key was selected;
- The public key has not been added to authorized_keys;
- Password authentication is disabled on the server;
- Root login is prohibited;
- Permissions for the .ssh directory or key files are configured incorrectly.
For diagnostics, it is useful to start the connection in verbose mode: ssh -v user@SERVER_IP
If a specific key is used: ssh -v -i ~/.ssh/id_ed25519 user@SERVER_IP
The output will show which key the client offers and at which stage the server rejects the login attempt.
Connection timed out
The Connection timed out error means that the client did not receive a response from the specified address and port within the allotted time.
Possible causes:
- The VPS is powered off or rebooting;
- The IP address is incorrect;
- The wrong SSH port is specified;
- The port is closed by a firewall;
- Access is blocked by a security group or the provider’s network firewall;
- The server is temporarily unreachable over the network.
First, verify the IP address and port in the provider’s control panel. Then check whether the server responds and whether the required port is accessible from the external network.
If you have access to the VPS web console, check the SSH status and listening ports on the server:
sudo systemctl status ssh
sudo ss -ltnp
If SSH is running but the connection still hangs, the likely cause is a firewall or the provider’s network rules.
Connection refused
The Connection refused error means that the server responded, but no service is accepting SSH connections on the specified port, or the connection is being actively rejected.
This usually happens when:
- the SSH service is stopped;
- the wrong port is selected;
- SSH is listening only on the local interface;
- the OpenSSH configuration contains an error;
- the firewall is configured to actively reject connections.
Check the service via the provider console: sudo systemctl status ssh
If necessary, it can be started: sudo systemctl start ssh
Next, check which port the server is listening on: sudo ss -ltnp | grep ssh
If the service does not start after a configuration change, it is useful to check its syntax: sudo sshd -t
Incorrect port specified
The default SSH port is 22, but the administrator or provider may use a different value.
For a non-standard port, the command is as follows: ssh -p 2222 user@SERVER_IP
A common mistake is connecting without the -p option even though SSH has already been changed to a different port. As a result, the client tries to connect to port 22 and receives Connection timed out or Connection refused.
Check the port in three places:
- In the connection command;
- In the SSH server configuration;
- In the firewall or security group rules.
When changing the port, add the new firewall rule before restarting SSH. Otherwise, the server may become inaccessible externally.
Incorrect username specified
Even if the IP address, port, and key are correct, the server will not allow a user who does not exist or who has not been assigned this key to log in.
Typical usernames depend on the VPS image:
- root;
- ubuntu;
- debian;
- admin;
- the user created when the server was ordered.
For example, the key may be added for ubuntu, while the connection is made as root: ssh root@SERVER_IP
In this case, you need to use the correct user account: ssh ubuntu@SERVER_IP
Check the username in the provider’s control panel, in the email containing the access details, or in the documentation for the selected image.
Incorrect SSH key permissions
OpenSSH will not use a private key if the file is accessible to other users. On Linux and macOS, this produces a warning such as UNPROTECTED PRIVATE KEY FILE or Bad permissions.
Permissions are usually set for the private key: chmod 600 ~/.ssh/id_ed25519
For the .ssh directory: chmod 700 ~/.ssh
On the server, check the permissions for the directory and the file containing the public keys:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
It is also important that the files are owned by the correct user: chown -R user ~/.ssh
On Windows, the issue is usually not related to chmod, but to other user accounts having access to the file. In this case, check the file permissions in its properties or use a key from the user’s default .ssh directory.
A firewall is blocking the connection
SSH may be running and configured correctly, but the firewall is not allowing connections to the required port.
For UFW, the status is checked with the command: sudo ufw status verbose
If SSH is running on the standard port, you can allow it as follows: sudo ufw allow OpenSSH
For a non-standard port: sudo ufw allow 2222/tcp
Do not remove the old allow rule until you have verified the connection through the new port in a separate session.
In addition to UFW, access may be blocked by the provider’s external firewall, a security group, or an ACL. The control panel should have an inbound rule for the SSH TCP port, preferably restricted to a trusted IP address.
If SSH access is already unavailable, you will need to fix the rules through the provider’s web console, VNC, or rescue mode. After restoring the connection, check the IP address, username, port, key, and firewall again one by one instead of changing all parameters at once.
Checklist Before Retrying the Connection

If the SSH connection is not working, check the following in order:
- The VPS is powered on and accessible in the provider’s control panel;
- The correct public IP address is being used;
- The correct username is specified;
- The correct SSH port is selected;
- The SSH service is running on the server;
- The required port is allowed in UFW and in the provider’s firewall;
- The correct private key is selected;
- The public key has been added for the correct user;
- The permissions on .ssh, authorized_keys, and the private key are correct;
- The saved fingerprint matches the current server.
For detailed diagnostics, start the connection with the -v option: ssh -v -p 2222 -i ~/.ssh/id_ed25519 user@SERVER_IP
It is best to check the parameters one at a time. If you change the port, user, key, and firewall settings all at once, it will be harder to identify the actual cause of the error.
Conclusion

To connect to a VPS over SSH, you need the IP address, username, port, and authentication method. Windows Terminal, PowerShell, macOS Terminal, and Linux Terminal use essentially the same ssh command. PuTTY provides the same capabilities through a graphical interface.
A password is suitable for the initial login, but for ongoing administration, using an SSH key is more secure. The private key must remain on the user’s computer, and only its public key is added to the server.
When connecting for the first time, it is important to verify the fingerprint. It confirms that the client is connecting to the correct server. An unexpected change in the fingerprint should not be ignored without checking the cause.
Most issues can also be identified from the error message. Permission denied is usually related to the username, password, or key. Connection timed out indicates that the address or port is unreachable, or that access is being blocked by a firewall. Connection refused usually means that no SSH service is running on the selected port.
If you cannot connect, check the IP address, user, port, key, SSH status, and network rules in sequence. This approach usually helps identify the cause without making random changes to a working server configuration.
FAQ
Can I connect to a VPS without an SSH key?
Yes, if password authentication is enabled on the server. In that case, you only need to specify the user and IP address: ssh user@SERVER_IP
After the connection is established, SSH will prompt for the account password. This option is acceptable for the first login, but for ongoing use it is safer to configure an SSH key and then disable password-based authentication.
Where can I find the username for a VPS?
The username is usually included in the email sent after the VPS is created, in the control panel, or in the documentation for the selected image.
The most common usernames are root, ubuntu, debian, or admin. If you specify a user that does not exist, or an account that does not have the required key assigned to it, the server will return a Permission denied error.
What should you do if the fingerprint has changed?
First, determine the cause. The fingerprint normally changes after reinstalling a VPS, regenerating the server’s SSH keys, or moving the IP address to another virtual machine.
If none of these changes were made, do not ignore the warning: it may indicate that you are connecting to a different server or that the connection has been intercepted.
After verification, the new fingerprint should be checked through the provider’s control panel or console. The old entry for a specific IP can be removed with the command: ssh-keygen -R SERVER_IP
Then, the next time you connect, SSH will prompt you to save the new server key.
How do I check whether the SSH port is open?
You can test the connection from another computer using the command: ssh -v -p 2222 user@SERVER_IP
TCP port checking is also available in Windows PowerShell: Test-NetConnection SERVER_IP -Port 2222
On the VPS itself, the list of listening ports is displayed as follows: sudo ss -ltnp
UFW rules are checked with the command: sudo ufw status verbose
If SSH is listening on the expected port but external connections fail, check the operating system firewall, the security group, and the network rules in the provider’s control panel.
Sources
1. Ubuntu Server Documentation — OpenSSH server
