How to Enable SSH on a VPS and Connect with PuTTY: Complete Guide for All Linux and BSD Families

When you first receive a VPS, the only access you have is through the NoVNC or Serial console inside the ServerSpan control panel. SSH is not always active out of the box, and on most modern OS images root login with a password is explicitly disabled by default. This guide walks you through every step — from the console to your first working SSH session — for every major Linux and BSD distribution, so you can connect from PuTTY, Windows Terminal, or any other SSH client without opening a support ticket.

What SSH Is and Why You Need It

SSH (Secure Shell) is an encrypted network protocol that lets you control your server remotely from any computer in the world. Instead of using the web-based console in the control panel, you open a terminal on your local machine and get instant access to your VPS as if you were sitting in front of it. The NoVNC and Serial console in your ServerSpan panel is your emergency fallback — SSH is how you actually work day to day.

The component that listens for incoming SSH connections on the server side is called OpenSSH Server (the process is called sshd). Your local machine uses an SSH client — PuTTY on Windows, or the built-in ssh command on Linux and macOS — to connect to it. By default, OpenSSH listens on port 22.

Step 1 — Open Your VPS Console

Log into your ServerSpan control panel, navigate to your VPS, and open the Console tab (NoVNC or Serial). You will see a black terminal screen. If it appears blank, press Enter once to get a login prompt. Type root and press Enter, then type your root password. Nothing appears on screen while you type — this is normal Linux and BSD behavior, not a keyboard problem.

If you never set a root password or forgot it, use the Password Reset function in the control panel before continuing. Once logged in, your prompt looks like this:

root@hostname:~#

Every command in this guide is typed here, in this console window. Do not close it until you confirm SSH is working from your own machine.

Step 2 — Find Your OS Family

The package manager, service manager, and some configuration details differ between distributions. If you are not sure which OS is running on your VPS, run this command:

cat /etc/os-release

The NAME and ID_LIKE fields tell you exactly what you are working with. Use the table below to find your section:

Distribution	Family	Package manager	Service name
Debian, Ubuntu, Linux Mint	Debian/Ubuntu	apt	ssh
Rocky Linux, AlmaLinux, CentOS Stream, RHEL, Fedora	RHEL	dnf	sshd
openSUSE Leap, openSUSE Tumbleweed, SLES	SUSE	zypper	sshd
Arch Linux, Manjaro, EndeavourOS	Arch	pacman	sshd
Alpine Linux	Alpine	apk	sshd
FreeBSD, TrueNAS CORE	BSD	pkg	sshd (rc.d)
OpenBSD	BSD	pkg_add	sshd (rc.d)

Step 3 — Install OpenSSH Server

First check whether the SSH server is already installed and running. Run the check that matches your family:

# Debian / Ubuntu
systemctl status ssh

# RHEL / SUSE / Arch
systemctl status sshd

# Alpine Linux
rc-status | grep sshd

# FreeBSD / OpenBSD
service sshd status

If the output says Active: active (running) (Linux) or sshd is running (BSD), skip directly to Step 4. If the service is not found or not running, install it using the instructions for your family below.

Debian and Ubuntu

apt update
apt install openssh-server -y

On Debian and Ubuntu the service name is ssh, not sshd. The package installation starts and enables the service automatically.

Rocky Linux, AlmaLinux, CentOS Stream, RHEL, Fedora

dnf install openssh-server -y
systemctl enable --now sshd

OpenSSH is often pre-installed on RHEL-family images but not always running. The --now flag starts the service immediately and marks it to start on every reboot.

openSUSE Leap and Tumbleweed / SLES

zypper install openssh-server -y
systemctl enable --now sshd

On openSUSE, the sshd configuration file lives at /etc/ssh/sshd_config as on every other Linux family. However, on Tumbleweed a vendor-supplied default exists at /usr/etc/ssh/sshd_config. If /etc/ssh/sshd_config does not exist after installation, copy the vendor default first:

cp /usr/etc/ssh/sshd_config /etc/ssh/sshd_config

From that point on, edit /etc/ssh/sshd_config as described in Step 5.

Arch Linux, Manjaro, EndeavourOS

pacman -Sy openssh
systemctl enable --now sshd

Arch minimal images often ship without OpenSSH. The package is called openssh and installs both the client and the server in one package.

Alpine Linux

apk update
apk add openssh-server
rc-update add sshd
rc-service sshd start

Alpine uses OpenRC rather than systemd, so systemctl does not exist here. The rc-update add sshd command marks the service to start at boot; rc-service sshd start starts it immediately in the current session.

FreeBSD

OpenSSH comes pre-installed on FreeBSD. You only need to enable the service. The clean way to do it is with sysrc, which writes directly to /etc/rc.conf with correct syntax:

sysrc sshd_enable="YES"
service sshd start

If you prefer to do it manually, open /etc/rc.conf in the ee editor (which is always available on FreeBSD, unlike nano or vim on fresh installs) and add this line:

sshd_enable="YES"

Then start the service:

/etc/rc.d/sshd start

OpenBSD

OpenSSH was created by the OpenBSD project and is built into the base system. No installation is needed. Enable and start it:

rcctl enable sshd
rcctl start sshd

LXC containers without systemd

If you are on an LXC container and systemctl returns "Failed to connect to bus: No such file or directory", the container was initialized without systemd. Use the legacy service command instead:

service ssh start      # Debian / Ubuntu on LXC
service sshd start     # RHEL, SUSE, Arch on LXC

Step 4 — Set a Root Password

On cloud and VPS images the root account often has no password or is locked by default. Run this command to set one:

passwd root

You will be prompted to type a new password twice. Nothing appears on screen as you type. Choose something strong — at least 12 characters with a mix of uppercase, lowercase, numbers, and symbols. A confirmation message reading passwd: password updated successfully (or password changed on BSD) confirms it worked.

Step 5 — Allow Root Login with Password in sshd_config

This is the step most guides handle poorly, and it is the primary reason SSH is installed and running but still refuses your connection. Modern distributions either block root login entirely or allow it only with SSH key pairs, not passwords. You need to change two directives in the SSH daemon configuration file.

On every Linux distribution, the main configuration file is:

/etc/ssh/sshd_config

On FreeBSD and OpenBSD the path is identical: /etc/ssh/sshd_config.

Open the file. Use nano if available, ee on FreeBSD, or vi on Alpine and OpenBSD:

nano /etc/ssh/sshd_config    # Debian, Ubuntu, Rocky, SUSE, Arch
ee /etc/ssh/sshd_config      # FreeBSD (ee is always present)
vi /etc/ssh/sshd_config      # Alpine, OpenBSD, or any system without nano

Search for the line containing PermitRootLogin. On different distributions it looks like one of these:

#PermitRootLogin prohibit-password
PermitRootLogin prohibit-password
PermitRootLogin no
#PermitRootLogin yes

Change it — or add it if it is missing — so it reads exactly:

PermitRootLogin yes

Remove the # at the beginning if there is one. Lines starting with # are comments and have no effect regardless of what they say.

Now find the line containing PasswordAuthentication and make it read:

PasswordAuthentication yes

Save the file. In nano: Ctrl+X, then Y, then Enter. In ee: Esc, then choose a) leave editor, saving changes. In vi: press Esc, type :wq, press Enter.

Ubuntu 22.04 and Ubuntu 24.04 — the override directory

Ubuntu 22.04 and newer ship with a configuration override directory at /etc/ssh/sshd_config.d/. Files in this directory take priority over the main sshd_config, meaning your changes above can be silently ignored if a conflicting setting exists in a drop-in file. Check what is there:

ls /etc/ssh/sshd_config.d/

You will often see 50-cloud-init.conf. Open it:

nano /etc/ssh/sshd_config.d/50-cloud-init.conf

If it contains PasswordAuthentication no, change it to PasswordAuthentication yes and save. This override directory is the single most common reason password authentication appears to do nothing on Ubuntu even after editing the main config file correctly.

openSUSE — the vendor config fallback

On Tumbleweed, if you skipped the copy step in Step 3 and /etc/ssh/sshd_config does not exist, the daemon reads from /usr/etc/ssh/sshd_config. Never edit the file under /usr/etc/ — it gets overwritten by package updates. Copy it first as described in Step 3, then edit the copy under /etc/ssh/.

Step 6 — Restart the SSH Service

Changes to sshd_config take effect only after the daemon is restarted. Use the command that matches your system:

# Debian / Ubuntu
systemctl restart ssh

# Rocky Linux, AlmaLinux, CentOS, RHEL, Fedora, SUSE, Arch
systemctl restart sshd

# Alpine Linux
rc-service sshd restart

# FreeBSD
service sshd restart

# OpenBSD
rcctl restart sshd

# LXC containers without systemd (Debian/Ubuntu)
service ssh restart

# LXC containers without systemd (RHEL/SUSE/Arch)
service sshd restart

After restarting, verify the service came back up cleanly:

# Linux with systemd
systemctl status ssh      # or sshd

# Alpine
rc-service sshd status

# FreeBSD / OpenBSD
service sshd status

The status should show the service as running. If it shows a failure, the most common cause is a syntax error in sshd_config. Test the configuration file before restarting to catch errors:

sshd -t

If this command returns nothing, the syntax is valid. If it prints an error, it will tell you exactly which line in the file is wrong.

Step 7 — Find Your VPS IP Address

Your VPS IP address is shown in the ServerSpan control panel on the VPS overview page. You can also retrieve it directly from the console:

# Linux
ip a

# FreeBSD / OpenBSD
ifconfig

Look for an address that is not 127.0.0.1 (loopback) and not a 10.x.x.x or 172.x.x.x private range address unless your VPS is on a private network with NAT. Your public IPv4 address will typically look like 185.x.x.x or 45.x.x.x depending on the datacenter location.

Step 8 — Connect from Windows Using PuTTY

PuTTY is a free SSH client for Windows. Download it from the official site at putty.org and install it. Open PuTTY and fill in the configuration window:

• In the Host Name (or IP address) field, type your VPS IP address
• Confirm Port is set to 22
• Confirm Connection type is set to SSH
• Click Open

On the first connection to a new server, PuTTY shows a security alert: "The host key is not cached for this server." This is expected and safe on a server you just set up. Click Accept. PuTTY stores the server's fingerprint so it can warn you if it changes in the future.

A terminal window opens with the prompt login as:. Type root and press Enter. Type your root password and press Enter. The password does not appear on screen as you type — this is intentional, not a malfunction. If the credentials are correct, you land at:

root@hostname:~#

You are in. You can now close the NoVNC console and work entirely through PuTTY.

Step 9 — Connect from Linux or macOS

Open a terminal and type:

ssh root@YOUR_VPS_IP

On the first connection you will see a fingerprint warning. Type yes and press Enter to accept it. Enter your root password when prompted. Nothing appears on screen as you type.

Common Problems and How to Fix Them

Connection refused on port 22

The SSH service is not running or a firewall is blocking the port. Return to the NoVNC console and check the service status, then check whether a host firewall is active. On Debian/Ubuntu with UFW:

ufw allow 22/tcp && ufw reload

On Rocky Linux / AlmaLinux / RHEL with firewalld:

firewall-cmd --permanent --add-service=ssh && firewall-cmd --reload

On openSUSE with firewalld:

firewall-cmd --permanent --add-service=ssh && firewall-cmd --reload

On Arch Linux, no firewall is active by default, so a refused connection typically means the service is not running.

On FreeBSD, if pf is enabled, add a pass rule for port 22 to /etc/pf.conf and run pfctl -f /etc/pf.conf. On OpenBSD, pf is active by default — edit /etc/pf.conf and add:

pass in on egress proto tcp from any to any port 22

Then reload: pfctl -f /etc/pf.conf.

Permission denied, please try again

SSH is running but your credentials are rejected. The three most common causes: wrong password, PermitRootLogin is still not set to yes, or PasswordAuthentication is still no in an override file. Go back to Step 5, verify the main config and any drop-in files under /etc/ssh/sshd_config.d/ (on Ubuntu), and restart the service again after any change. Confirm the active configuration without restarting with:

sshd -T | grep -E "permitrootlogin|passwordauthentication"

This prints what the daemon is actually using at runtime. If either line still shows a restrictive value, the override has not been applied yet.

Nothing happens when I type my password

This is normal behavior. Linux and BSD terminals do not echo passwords — no characters, no asterisks, nothing. Type your password and press Enter. If it fails you can try again. After several consecutive failures the server may temporarily block your IP address. Wait two minutes before retrying.

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED

This appears when you rebuilt or reinstalled the OS on your VPS and try to reconnect from a machine that has the old host key cached. Since you performed the rebuild yourself it is safe to remove the old entry. On Linux and macOS:

ssh-keygen -R YOUR_VPS_IP

In PuTTY on Windows, go to Registry Editor → HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys and delete the entry for your IP address, then reconnect and accept the new fingerprint.

SSH starts but crashes immediately on Alpine or minimal containers

The SSH daemon needs host keys to be generated before it can start. If you installed OpenSSH on a stripped-down container image, generate the host keys manually:

ssh-keygen -A

Then start the service again.

What to Do Next

Root login with a password is the fastest way to get started, but once you are comfortable with the server you should make two improvements: switch to SSH key-based authentication and disable password login entirely, then move SSH off the default port 22. Both steps eliminate the vast majority of automated brute-force attempts that every internet-facing server receives within minutes of being provisioned. Our practical VPS security guide covering 15 essential hardening steps walks through both in detail, along with fail2ban, unattended upgrades, and firewall rules.

If this is your first VPS and you are not yet sure what to do with it beyond getting SSH working, the complete Linux VPS setup guide for beginners covers hostname and timezone configuration, user management, installing a web server, and setting up basic monitoring. For hands-on help with any configuration step, the ServerSpan managed Linux administration service is available for direct technical assistance.

All ServerSpan VPS plans — KVM and LXC — come with full root access and NoVNC/Serial console available from day one. If SSH still does not work after following this guide, open a support ticket and include the exact error message shown in PuTTY or your terminal. "I can't SSH in" takes significantly longer to diagnose than "I see Permission denied (publickey,gssapi-keyex,gssapi-with-mic)" or "Connection refused on port 22." The error message tells us exactly where in the chain the problem is.