$ sshd -t
Unable to load host key: /etc/ssh/ssh_host_rsa_key
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
But:
$ ls -la
total 624
drwxr-xr-x 4 root root 4096 Jan 2 13:06 .
drwxr-xr-x 132 root root 12288 Jan 2 12:50 ..
-rw-r--r-- 1 root root 581349 Oct 25 10:36 moduli
-rw-r--r-- 1 root root 1558 Jan 2 12:51 ssh_config
drwxr-xr-x 2 root root 4096 Dec 23 11:17 ssh_config.d
-rw-r--r-- 1 root root 3340 Jan 2 13:06 sshd_config
drwxr-xr-x 2 root root 4096 Jan 2 12:15 sshd_config.d
-rw------- 1 root root 505 Jun 5 2025 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 178 Jun 5 2025 ssh_host_ecdsa_key.pub
-rw------- 1 root root 411 Jun 5 2025 ssh_host_ed25519_key
-rw-r--r-- 1 root root 98 Jun 5 2025 ssh_host_ed25519_key.pub
-rw------- 1 root root 2602 Jun 5 2025 ssh_host_rsa_key
-rw-r--r-- 1 root root 570 Jun 5 2025 ssh_host_rsa_key.pub
It appears the keys are present and have the correct permissions. A systemctl status sshd confirms that the OpenSSH Daemon has started and is listening to the proper port.
The funny thing is I can connect to the server from the Intranet but not WAN.
Things I’ve tried:
configured router to forward all traffic for my ssh port to my server
set up dyndns with dynu
configured router to connect to dynu
adjusted port settings in /etc/ssh/ssh_config and /etc/ssh/sshd_confiig
opened the port on ufw
ssh-keygen -A
checked that the ssh port on the server is open and listening
Oh, and finally:
$ sudo /usr/sbin/sshd -d
debug1: sshd version OpenSSH_10.2, OpenSSL 3.6.0 1 Oct 2025
debug1: private host key #0: ssh-rsa SHA256:Hgm7ZMNxiMrWL5cU5YKXxo6pSW5yOCKnVoiEX6q5EqQ
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:0VOyCMfZMaWkiZ5IasWYYWV2211YmSSR5mxzMYiSt3w
debug1: private host key #2: ssh-ed25519 SHA256:mb4hsAPvItXRGGUUqf44jPXhlKCNJ3JWqUzVtVndAMg
debug1: rexec_argv[1]='-d'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.
Bind to port 2222 on 0.0.0.0 failed: Address already in use.
debug1: Bind to port 2222 on ::.
Bind to port 2222 on :: failed: Address already in use.
Cannot bind any address.
Can’t make head or tails of it and would be very grateful for any hints.
The $ indicates you are trying to start sshd as your normal user. Your user has no read permission for the private keys as seen in your ls output. Do not change it! And do not run sshd as your normal user!
If you want to start sshd, use the systemd service.
I am not really SSH competent, but on first glance, the question is, with what permissions is sshd running. Maybe not as root. You kinda tested this hypothesis yourself - it did not find the keys without sudo, but found them with sudo. So it looks like permission issue.
For the IP i have no idea. Besides running netstat for example, to see if there is something on that port. Maybe you are already running a demon instance there (the unprivileged one?)
Could you explain your setup. From what I can tell you want to expose a ssh server on the internet.
I suppose you followed a guide or some such?
What kind of funny thing do you experience when connecting to the WAN and from where do you connect, this can matter depending on the type of router, dns etc.
Not being able to bind would be the correct response if the service was running while starting it manually again.
As soon as your SSH connection is accessible from the internet, you can expect numerous attempts from all sorts of users to break into your system.
And it doesn’t matter which port you’re using for SSH. They’ll find you. I can say that from personal experience. And it might not even take an hour before the first attacks begin.
So be prepared, and harden your SSH connection properly.
That’s why SSH is meticulous when it comes to file permissions. If they aren’t exactly correct, SSH refuses to work (for good reason).
No, I didn’t follow any instructions seeing that it is simply a case of getting a dyndns service set up, opening a port on the router and enabling the ssh daemon. How wrong I was
And @Hanzel- my understanding of keys is virtually non-existent. I don’t understand your query regarding root vs personal keys. Embarrassing but true …
Yes, the ssh server (sshd) is running on port 2222, you have edited the port setting (original post step 4) so that was succesfull
When connecting your (arch) system to the internet some reading and understanding is probably required to keep control of the system: Security - ArchWiki
I’m not saying that you should not do it, just that there are some risks.
This short video will show the basics on what / how / why on witch you can expand, or come back with further questions. It is specific for your use case and covers key generation and first setup.
It is actually that simple. There is nothing more to do. And since SSH works within your private network, Manjaro is correctly configured.
However, there are some things you can check. First, has your router a public routable IPv4 address? You need to check it in your router, websites like whatismyipaddress.com will not work for this. If not, that’s a real problem. Sometimes you can pay a little (or a lot more) extra to your ISP and you get one. I also saw, a Router with a public IPv4 address, but the ISP did not allowed incoming contentions from the public internet.
If your Router has a public routable IPv4 address, check your DynDNS. Query the DNS Server directly. Maybe do it on your Smartphone, there are Apps for that. Also check if you did set up IPv4 and IPv6. You might want to disable IPv6 if IP4 works, because by default IPv6 is always pickt first.
If you don’t have a public routable IPv4, you need to use IPv6. Disbale IPv4 in your DynDNS. Check the manual for your Router on how to open Ports for IPv6. It sometimes works differently. For example, after opening a port for IPv6, you need to connect to the IPv6 of your Manjaro system and not to the IPv6 of your Router. Of course in this case, you need to set up DynDNS differently. But this depends on our Router manufacturer, model, firmware and also ISP.
This are just some pointers, depending on your setup there might be more to check or do. But only you know these things.
Please don’t add “solved” to the title. The way to mark a solution in Discourse (the forum software) is to click the button under the first post that provided the solution, or the post that helped you the most.
As there doesn’t seem to be a post that mentioned checking the firewall on your computer is set up properly, I’ll take the liberty of marking your post as the solution (and removing “solved” from the title).
