Symptoms

The SSH service fails to start on a VOS node. The following errors are observed:

  • sudo systemctl start ssh returns: Job for ssh.service failed because the control process exited with error code.
  • systemctl status ssh.service shows Active: failed (Result: exit-code)
  • The ExecStartPre step (/usr/sbin/sshd -t) exits with status=255, meaning sshd failed its pre-flight config check before it could even start.
  • VSH restart and node reboot do not resolve the issue.

Root Cause

The sshd -t pre-flight check (run automatically by systemd before starting sshd) failed with exit code 255. This indicates a problem in the SSH daemon configuration — typically one of:

  • A syntax error or invalid directive in /etc/ssh/sshd_config
  • An accidental character (e.g. a stray #, extra space, or typo) introduced into the config
  • A missing or corrupt host key file
  • A host key file with incorrect permissions

Diagnostic Steps

  1. Run the sshd config test directly to get the exact error:

    sudo sshd -t

    This will print the exact line and reason for the failure. Note it down.

  2. Check the systemd journal for additional context:

    sudo journalctl -xe -u ssh.service | tail -30

  3. Compare /etc/ssh/sshd_config with a known-good node at the same site or a similar healthy site. Look for:

    • Stray or misplaced # characters that comment out required directives
    • Typos in directive names or values
    • Any recently added or modified lines
  4. cat /etc/ssh/sshd_config

  5. Verify host key files exist and have correct permissions (must be 600, owned by root):

    ls -la /etc/ssh/ssh_host_*

    Expected output example:

    -rw------- 1 root root  227 Jan  1 00:00 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1 root root  162 Jan  1 00:00 /etc/ssh/ssh_host_ecdsa_key.pub
-rw------- 1 root root  399 Jan  1 00:00 /etc/ssh/ssh_host_ed25519_key
-rw-r--r-- 1 root root   82 Jan  1 00:00 /etc/ssh/ssh_host_ed25519_key.pub
-rw------- 1 root root 1675 Jan  1 00:00 /etc/ssh/ssh_host_rsa_key
-rw-r--r-- 1 root root  382 Jan  1 00:00 /etc/ssh/ssh_host_rsa_key.pub

    If any private key has permissions other than 600, fix with:

    sudo chmod 600 /etc/ssh/ssh_host_*_key

  6. Check for drop-in config files that may override or conflict:

    ls /etc/ssh/sshd_config.d/

Resolution

  1. Fix the issue identified in the sudo sshd -t output — most commonly a config syntax error. If a line was accidentally modified, restore it from a known-good node's /etc/ssh/sshd_config.

  2. Re-run the config test to confirm it passes cleanly (no output = success):

    sudo sshd -t

  3. Start the SSH service:

    sudo systemctl start ssh
systemctl status ssh.service

  4. Confirm SSH is listening:

    ss -tlnp | grep sshd

Notes

  • This issue does not affect traffic forwarding or VOS data-plane functions, only SSH management access to the node is impacted.
  • If the config file on the affected node looks identical to a healthy node and sshd -t still fails, collect the full journalctl output and open a case with Versa Support.