All Products
Search
Document Center

The error "Permission denied, please try again" is returned when the root user logs on to a Linux instance through SSH.

Last Updated: Sep 21, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

 

Overview

When a root user logs on to a Linux instance over SSH, the error "Permission denied, please try again" is returned. This topic describes how to resolve this issue.

 

Description

When you log on to an ECS instance using SSH, an error message similar to the following is returned even if you have entered the correct password as the root user.

Note: non-root users can log on normally, and the root user passesManagement terminalYou can log on normally.

  • Permission denied, please try again.

  • The SSH server rejects the password. Please try again.

Check the secure log. If the following error information is contained, the problem is usually caused by the SELinux service enabled. SeeSolution to SELinux problems. For other cases, seeSolution to problems caused by disabling root user logon.

error: Could not get shadow infromation for root.

 

Solution to problems caused by disabling root user logon

Note:

  • The Linux configurations and descriptions in this article have been tested in the CentOS 6.5 64-bit operating system. The operating system configurations of other types and versions may be different. For details, see the official documentation of the corresponding release.
  • These policies can improve server security. Before you modify the configuration, make sure that you have a balance between security and ease of use.

Follow these steps to check and modify the configuration.

  1. PassManagement terminalLog on to the ECS instance of the Linux system.

  1. Run cat or other commands to view/Etc/ssh/sshd_configWhether the configuration file contains configurations similar to the following.

    PermitRootLogin no

    Note: The following table describes this parameter.

    • Root users are allowed to log on if this parameter is not set (default) or set to yes. Root user logon is disabled only when this parameter is set to "no.

    • This parameter only affects the SSH logon of the root user.Management terminalOr other methods such as logging on to the system.

  1. Use an editor such as vi to set the parameter value to yes, delete the parameter, or add a number sign (#) at the beginning of the parameter. For example:# PermitRootLogin yes.
    Note: We recommend that you back up the configuration file before you modify it.
  2. Run the following command to restart NTP:

    service sshd restart
  3. Try to log on to the server as the root user again.
  4. If the problem persists, seeGuidelines for troubleshooting failed remote logon through SSH in Elastic Compute Service LinuxFurther troubleshooting and analysis.

 

Solution to SELinux problems

You can choose to temporarily or permanently disable SELinux to solve SSH connection exceptions based on the on-site environment requirements.

 

Check the SELinux service status

  1. PassManagement terminalLog on to the Linux instance and run the following command to check the current SELinux Service Status.
    /usr/sbin/sestatus -v 
    A similar output is displayed.
    SELinux status:       enabled
    Note:IfSELinux statusThe parameter isEnabledIs enabledDisabledIs disabled.

 

Temporarily disable SELinux

Log on to the Linux instance and run the following command to temporarily disable SELinux.

Note:You can modify the SELinux service status in real time without restarting the system or instance.

setenforce 0

 

Disable SELinux permanently

Log on to the Linux instance and run the following command to disable SELinux permanently.

Note:The SELinux service status can only be changed permanently after the system or instance is restarted.

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

Note:This command is only applicable to the current SELinux serviceEnforcingStatus.

 

Application scope

  • ECS