Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.
Problem description
When you use SSH to connect to an ECS instance of a Linux, the secure log files of the client or server may display information similar to the following, causing a failure to log on.
- Permission denied, please try again.
- User test from 192.X.X.1 not allowed because not listed in AllowUsers.
- User test from 192.X.X.1 not allowed because listed in DenyUsers.
- User root from 192.X.X.1 not allowed because a group is listed in DenyGroups.
- User test from 192.X.X.1 not allowed because none of user's groups are listed in AllowGroups.
Cause
This problem is usually caused by the user logon control parameter enabled in the SSH service, which restricts the users who can log on. The parameters are described as follows.
- AllowUsers: the whitelist of users allowed to log on. Only the users marked with this parameter can log on.
- DenyUsers: the blacklist of rejected users.
- AllowGroups: the whitelist of user groups that are allowed to log on to the console. Only the user groups marked with this parameter are allowed to log on to the console.
- DenyGroups: the blacklist of user groups that are used to deny access to the website.
A deny policy has a higher priority than an allow policy as follows:
- If the AllowUsers and DenyUsers parameters contain the same user, the denial policy takes precedence. Therefore, the user cannot log on.
- If the user in "AllowUsers" is in the "DenyGroups" user group, the denial policy takes precedence, so the user still cannot log on.
Solution
Alibaba Cloud reminds you that:
- Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
- If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
- If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.
The Linux configurations and descriptions in this article have been tested in CentOS 6.5 64-bit operating systems. The configurations of other operating systems may be different. For more information, see the official documentation of the operating system.
- Log on to a Linux instance. For more information about how to log on to a Linux instance, seeconnect to a Linux instance by using a management terminal.
- Run the following command to view the sshd_config file:
cat /etc/ssh/sshd_config
The system displays the type, including the following configuration:AllowUsers root test
DenyUsers test
DenyGroups test
AllowGroups root - We recommend that you perform file backup before you modify the policy configuration.
- Use an editor such as vi to delete the policy configuration, and you can also comment on the policy configuration, as shown below, add #. User access control is completely removed to ensure that relevant users can log in normally.
#AllowUsers root test
#DenyUsers test
#DenyGroups test
#AllowGroups root - Run the following command to restart SSH so that the configuration takes effect.
service sshd restart
References
If the problem persists, seeguidelines for troubleshooting failure to remotely log on to a Linux instance through SSH for further troubleshooting and analysis.
Application scope
- ECS