All Products
Search

This Product

    :Resolve 'Bad configuration options' error when SSH fails to start

    Document Center

    :Resolve 'Bad configuration options' error when SSH fails to start

    Last Updated:Feb 28, 2026

    The SSH service fails to start when its configuration file (/etc/ssh/sshd_config) contains errors. This guide helps you identify the specific error, fix it, and restart the service.

    Causes

    Errors in /etc/ssh/sshd_config fall into two categories:

    • Syntax error: A configuration option is misspelled, or its value is outside the allowed range or a predefined list (for example, on/off, true/false, or a specific numeric range).

    • File encoding error: The file contains a Byte Order Mark (BOM) or uses CRLF line endings. This typically happens when the file has been edited or transferred from a Windows system.

    Solution 1: Fix errors in the SSH configuration file

    Step 1: Connect to the instance through VNC

    Because SSH is unavailable, use a VNC connection to access the instance.

    1. Go to ECS console - Instance. In the top navigation bar, select the target region and resource group.

    2. On the instance details page, click Connect. In the remote connection dialog, click Show Other Logon Methods to reveal the VNC option, then click Sign in now next to VNC. Enter the username and password to log on to the instance.

    Step 2: Diagnose the configuration

    Run the SSH configuration test command:

    sudo /usr/sbin/sshd -t

    The output identifies the file, line number, and error type. For example:

    Deprecated configuration option

    /etc/ssh/sshd_config: line 82: Bad configuration option: RSAAuthentication

    Invalid value for a configuration option

    /etc/ssh/sshd_config: line 23: bad value for Port "222222"
    The exact error message format varies by OpenSSH version. For example, OpenSSH 8.0p1 outputs Deprecated option RSAAuthentication instead of Bad configuration option: RSAAuthentication.
    If the command returns no output, the configuration is correct. Skip to Step 5.

    Step 3: Fix the configuration file

    Open the configuration file:

    sudo vim /etc/ssh/sshd_config

    Go to the line number reported in the error message and apply the appropriate fix:

    Deprecated configuration options

    OpenSSH removes support for older options in newer versions. Comment out or delete the line that contains the deprecated option.

    Deprecated optionDeprecated since
    RSAAuthenticationOpenSSH 7.0 and later
    UsePrivilegeSeparationOpenSSH 7.5 and later (now default behavior)

    Invalid option values

    Correct the value on the reported line. Run man sshd_config for valid values.

    File encoding errors

    A configuration file edited or copied from a Windows system may contain a BOM or use CRLF line endings. Check and fix these in Vim:

    Check line endings:

    :set fileformat?

    If the output is fileformat=dos, the file uses CRLF line endings. Fix it:

    :set fileformat=unix

    Check for a BOM:

    :set bomb?

    If the output is bomb, the file contains a BOM. Fix it:

    :set nobomb

    Save the file after making changes (:wq).

    Newer versions of OpenSSH (such as 8.0p1) may tolerate CRLF line endings without failing to start. However, converting to Unix format is still recommended to avoid issues with other tools and older OpenSSH versions.
    If the configuration file is severely corrupted and you cannot identify individual errors, proceed to Solution 2: Reinstall the SSH service.

    Step 4: Validate the fix

    Run the configuration test again:

    sudo /usr/sbin/sshd -t

    No output means the configuration is correct.

    Step 5: Restart and verify the SSH service

    Restart the service:

    sudo systemctl restart sshd

    Verify the service status:

    sudo systemctl status sshd

    If the output includes active (running), the SSH service started successfully.

    Solution 2: Reinstall the SSH service

    If the configuration file is too corrupted to repair, reinstall the SSH service. This replaces the configuration file with a clean default.

    Warning

    Reinstalling removes all custom configurations, such as modified ports and key-based authentication settings. Back up the file before proceeding.

    Step 1: Connect to the instance through VNC

    1. Go to ECS console - Instance. In the top navigation bar, select the target region and resource group.

    2. On the instance details page, click Connect. In the remote connection dialog, click Show Other Logon Methods to reveal the VNC option, then click Sign in now next to VNC. Enter the username and password to log on to the instance.

    Step 2: Back up the configuration file

    sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup-$(date +%Y%m%d-%H%M%S)

    Step 3: Uninstall and reinstall the SSH service

    Uninstall:

    sudo rpm -e openssh-server

    Reinstall:

    sudo yum install openssh-server

    After installation, migrate your custom configurations from the backup file to the new /etc/ssh/sshd_config.

    Step 4: Start and verify the SSH service

    Start the service:

    sudo systemctl start sshd

    Verify the service status:

    sudo systemctl status sshd

    If the output includes active (running), the SSH service started successfully.