Troubleshooting SSH Access Issues on Immich Server Installations

Immich is a happy little home for your photos and videos. It runs great on a home server, a VPS, a mini PC, or a dusty old laptop named Server Bob. But when SSH stops working, the fun can vanish fast. You type a command, press Enter, and the server just stares back like a cat that knocked over your coffee.

TLDR: If you cannot SSH into your Immich server, first check the basics. Make sure the server is on, connected to the network, and using the correct IP address. Then check your username, SSH port, firewall, SSH service, keys, and router settings. Most SSH problems are small mistakes wearing a big scary hat.

Start With the Silly Stuff

Yes, we start here. Always. Many SSH issues are not deep Linux mysteries. They are small things.

  • Is the server powered on?
  • Is the network cable plugged in?
  • Is Wi Fi connected?
  • Did the server get a new IP address?
  • Are you using the right username?

Do not skip this step. It saves time. It saves snacks. It saves sanity.

If your Immich server is in another room, go look at it. Are the lights blinking? Is the fan spinning? Is it making the usual tiny spaceship sounds? If not, fix that first.

Check the IP Address

SSH needs an address. If the address is wrong, SSH is like a pizza driver sent to the moon.

You may be using something like this:

ssh user@192.168.1.50

But your server may now be at:

192.168.1.73

This happens often. Routers hand out IP addresses with DHCP. Sometimes the address changes after a reboot.

To find the new IP, try these options:

  • Open your router admin page.
  • Look for connected devices.
  • Search for the host name of your Immich server.
  • Use a network scanner app.
  • Run ping immich.local if local names work on your network.

If you can access the server directly, run:

ip addr

Look for an address like 192.168.x.x or 10.0.x.x. That is probably your local IP.

Tip: Give your Immich server a reserved IP in your router. This keeps it from wandering off like a toddler in a toy store.

Make Sure SSH Is Installed

On many Linux systems, SSH is not always installed by default. The server needs the SSH server package. Your laptop or desktop needs an SSH client.

On Ubuntu or Debian, check the server with:

sudo systemctl status ssh

If it says not found, install OpenSSH server:

sudo apt update
sudo apt install openssh-server

Then start it:

sudo systemctl enable ssh
sudo systemctl start ssh

Now check again:

sudo systemctl status ssh

You want to see active. Active is good. Active is the green light. Active means the SSH goblin is awake.

Use the Correct Username

This one gets everyone. You may know the server IP. You may know the password. But if the username is wrong, SSH says no.

Try:

ssh yourusername@serverip

For example:

ssh alex@192.168.1.50

Do not assume the username is admin. Do not assume it is root. Many systems block root login by default. That is normal. It is a safety thing.

If you installed Immich on Ubuntu, the username is often the account you created during install. If you installed on a Raspberry Pi, it might be your custom user. Older guides used pi, but many new installs do not.

Check the SSH Port

By default, SSH uses port 22. But some people change it. This can reduce random login attempts from internet gremlins.

If SSH is on a custom port, you must specify it:

ssh -p 2222 user@192.168.1.50

To check the SSH port on the server, open:

sudo nano /etc/ssh/sshd_config

Look for:

Port 22

If it says another number, use that number. After changing this file, restart SSH:

sudo systemctl restart ssh

Warning: Do not close your current SSH session after changing the port until you test a new login. Keep one door open while you test the other door. Very wise. Very wizard.

Decode Common Error Messages

SSH errors look dramatic. But they usually tell you what is wrong. They are like fortune cookies with attitude.

  • Connection timed out: The server is not reachable. Check IP, network, firewall, and port.
  • Connection refused: The server is reachable, but SSH is not listening on that port.
  • Permission denied: The username, password, or key is wrong.
  • No route to host: Your device cannot find a path to the server.
  • Host key verification failed: Your computer thinks the server identity changed.

Read the error slowly. Do not panic. The message is a clue, not a monster.

Check the Firewall

Your server may be fine. SSH may be fine. But the firewall may be standing at the door with sunglasses and a clipboard.

If you use UFW on Ubuntu, check it:

sudo ufw status

If SSH is not allowed, run:

sudo ufw allow ssh

If you use a custom SSH port, allow that port:

sudo ufw allow 2222/tcp

Then check again:

sudo ufw status

You should see a rule allowing SSH. If you are using a VPS, also check the cloud firewall. Providers often have firewall rules outside the server. These rules can block SSH before traffic reaches Linux.

Check Docker Without Blaming Docker

Immich usually runs in Docker. That is great. Docker makes Immich easier to run and update. But SSH is usually not inside the Immich containers. SSH belongs to the host server.

So if the Immich web app is broken, that does not always mean SSH is broken. And if SSH is broken, that does not always mean Immich is broken.

Think of it like an apartment building:

  • The host server is the building.
  • Docker is the floor plan.
  • Immich is one apartment.
  • SSH is the front door to the building.

If the front door is locked, the apartment may still be fine. You just cannot get inside to check.

Passwords Versus SSH Keys

SSH can use passwords or keys. Keys are better. They are like secret handshakes for computers.

If you use a password, make sure:

  • The password is correct.
  • Caps Lock is off.
  • The user is allowed to log in.
  • Password login is enabled in SSH settings.

Check this file:

sudo nano /etc/ssh/sshd_config

Look for:

PasswordAuthentication yes

If you use SSH keys, check:

  • Your public key is in ~/.ssh/authorized_keys on the server.
  • Your private key is on your client machine.
  • File permissions are correct.
  • You are using the right key.

Good permissions are important. SSH is picky. Very picky. Like a raccoon choosing snacks.

On the server, run:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

On your client, your private key should usually be:

chmod 600 ~/.ssh/id_ed25519

Then try:

ssh -i ~/.ssh/id_ed25519 user@192.168.1.50

Use Verbose Mode

Verbose mode makes SSH talk more. A lot more. It is like giving SSH a microphone and a juice box.

Run:

ssh -v user@192.168.1.50

For even more detail:

ssh -vvv user@192.168.1.50

Look for lines about authentication, keys, ports, and errors. You do not need to understand every line. Search for words like denied, refused, timeout, or offered key.

Fix Host Key Warnings

Sometimes you reinstall the server. Or move the IP to a new machine. Then SSH may shout:

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

This can be serious. It may mean a security risk. But on a home server, it often means the server was rebuilt.

If you are sure the server is yours, remove the old key from your client:

ssh-keygen -R 192.168.1.50

Then connect again:

ssh user@192.168.1.50

You will be asked to trust the new host key. Read it. Confirm only if it makes sense.

Remote Access From Outside Your Home

Trying to SSH into your Immich server from a cafe, office, or moon base? Then local IP addresses will not work. Addresses like 192.168.1.50 only work inside your home network.

For outside access, you need one of these:

  • A VPN like WireGuard or Tailscale.
  • Port forwarding on your router.
  • A reverse tunnel.
  • A cloud server jump host.

Best simple choice: Use a VPN. Tailscale and WireGuard are popular. They avoid exposing SSH to the open internet. That is good. The internet is full of bots that knock on port 22 all day. Tiny rude robots.

If you use port forwarding, forward the correct external port to the correct internal IP and SSH port. Also use SSH keys. Disable root login. Consider disabling password login.

Check Fail2Ban and Lockouts

If you installed Fail2Ban, it may block your IP after too many failed logins. This is useful. It is also annoying when you are the person failing.

Check Fail2Ban status:

sudo fail2ban-client status

Check the SSH jail:

sudo fail2ban-client status sshd

If your IP is banned, unban it:

sudo fail2ban-client set sshd unbanip YOURIP

Replace YOURIP with your actual IP address.

Look at the Logs

Logs are where Linux writes its diary. Sometimes the diary is grumpy. But it is useful.

On Ubuntu or Debian, check SSH logs with:

sudo journalctl -u ssh

You can follow logs live:

sudo journalctl -u ssh -f

Then try to log in from another machine. Watch what appears. You may see bad usernames, rejected keys, or blocked login methods.

Some systems also use:

sudo tail -f /var/log/auth.log

Logs are not glamorous. But they are honest.

When You Have Physical Access

If SSH is fully broken, go to the server. Plug in a keyboard and monitor. This is the old school way. It still works.

Log in locally. Then check:

  • The IP address with ip addr.
  • The SSH service with systemctl status ssh.
  • The firewall with ufw status.
  • The SSH config file.
  • Disk space with df -h.

Yes, disk space matters. If the server disk is full, strange things happen. Immich can fill storage fast because photos and videos are chunky little beasts.

Do Not Break Immich While Fixing SSH

SSH troubleshooting should not require changing Immich containers. Be careful with Docker commands if you are not sure.

Before changing big things, check the Immich folder. It often contains a docker-compose.yml file and an .env file. Do not delete these. They are important.

If you need to restart Immich later, use the correct directory and command:

docker compose up -d

But remember, this is for Immich. It is not usually the fix for SSH.

Make Future You Happy

Once SSH works again, make it easier to fix next time. Future You deserves cookies.

  • Reserve the server IP in your router.
  • Save the SSH username and port in a password manager.
  • Set up SSH keys.
  • Keep one backup admin user.
  • Install a VPN for safe remote access.
  • Write down where your Immich files live.
  • Keep backups of your photos and your Immich database.

You can also create an SSH config entry on your client:

Host immich
  HostName 192.168.1.50
  User alex
  Port 22
  IdentityFile ~/.ssh/id_ed25519

Then you can connect with:

ssh immich

That feels fancy. It is also easier to remember.

Final Checklist

When SSH will not connect to your Immich server, walk through this list:

  1. Confirm the server is powered on.
  2. Confirm the network is working.
  3. Find the correct IP address.
  4. Use the correct username.
  5. Check the SSH port.
  6. Make sure the SSH service is running.
  7. Check firewall rules.
  8. Check passwords or SSH keys.
  9. Use verbose mode.
  10. Read the logs.

SSH problems can feel like a locked treasure chest. But most locks are simple once you find the right key. Take one step at a time. Stay calm. Your Immich memories are probably still safe, waiting behind the door with all your vacation photos, pet pictures, food shots, and that one blurry video nobody can explain.

You May Also Like...

About The Author

David Turner