:The system prompts "must be owned by root and not group or word-writable" error when the SSH service starts

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

Problem description

When the SSH service is started, the system prompts "must be owned by root and not group or word-writable" error.

Cause

For security reasons, the SSH service requires the permission configuration and group of directories or files related to the service. This problem is usually caused by an exception in the related permissions or group settings.

Solution

Alibaba Cloud reminds you that:

• Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
• If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
• If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

The troubleshooting methods are as follows for different reasons: In this document, as well as the system configuration and its description in CentOS 7.6 64 bit operating system test. The operating system configurations of other types and versions may be different. For more information, see the official documentation of the operating system.

Method 1: configure the /var/empty/sshd directory.

1. Log on to the abnormal instance through the management terminal and run the following command to view the permission configuration for the /var/empty/sshd directory.

   ll -d /var/empty/sshd/

   A similar output is displayed, indicating the default permissions.

   drwx--x--x. 2 root root 4096 Apr 11 2018 /var/empty/sshd/

2. If different from the default permission configuration, run the following commands in sequence to restore the default configuration.
   

   Note: the permission of the /var/empty/sshd directory is 711 by default. This permission defaults to the root user of the root group.

   chown -R root:root /var/empty/sshd
   chmod -R 711 /var/empty/sshd

3. Run the following command to restart the SSH service:
   

   Note: run the service sshd restart command to restart the SSH service before CentOS 7.

   systemctl restart sshd.service

Method 2: configure the /etc/securetty file

1. Log on to the abnormal instance through the management terminal and run the following command to view the /etc/securetty file permission configuration.

   ll /etc/securetty

   A similar output is displayed, indicating the default permissions.

   -rw-------. 1 root root 221 Oct 31  2018 /etc/securetty

2. If different from the default permission configuration, run the following commands in sequence to restore the default configuration.
   

   Note: the /etc/securetty file permission is 600 by default, which is the root user of the root group.

   chown root:root /etc/securetty
   chmod 600 /etc/securetty

3. Run the following command to restart the SSH service:
   

   Note: run the service sshd restart command to restart the SSH service before CentOS 7.

   systemctl restart sshd.service

Documentation

For more exception SSH services, see the following documents.

• Guidelines for troubleshooting failed remote logon to Linux instances and overview of SSH principles

Application scope

• ECS