Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.
Problem description
When the SSH service is started, the system prompts "must be owned by root and not group or word-writable" error.
Cause
For security reasons, the SSH service requires the permission configuration and group of directories or files related to the service. This problem is usually caused by an exception in the related permissions or group settings.
Solution
Alibaba Cloud reminds you that:
- Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
- If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
- If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.
The troubleshooting methods are as follows for different reasons: In this document, as well as the system configuration and its description in CentOS 7.6 64 bit operating system test. The operating system configurations of other types and versions may be different. For more information, see the official documentation of the operating system.
Method 1: configure the /var/empty/sshd directory.
- Log on to the abnormal instance through the management terminal and run the following command to view the permission configuration for the
/var/empty/sshd
directory.ll -d /var/empty/sshd/
A similar output is displayed, indicating the default permissions.drwx--x--x. 2 root root 4096 Apr 11 2018 /var/empty/sshd/
- If different from the default permission configuration, run the following commands in sequence to restore the default configuration.
Note: the permission of the
/var/empty/sshd
directory is711
by default. This permission defaults to theroot
user of theroot
group.chown -R root:root /var/empty/sshd
chmod -R 711 /var/empty/sshd - Run the following command to restart the SSH service:
Note: run the
service sshd restart
command to restart the SSH service before CentOS 7.systemctl restart sshd.service
Method 2: configure the /etc/securetty file
- Log on to the abnormal instance through the management terminal and run the following command to view the
/etc/securetty
file permission configuration.ll /etc/securetty
A similar output is displayed, indicating the default permissions.-rw-------. 1 root root 221 Oct 31 2018 /etc/securetty
- If different from the default permission configuration, run the following commands in sequence to restore the default configuration.
Note: the
/etc/securetty
file permission is600
by default, which is theroot
user of theroot
group.chown root:root
/etc/securetty
chmod 600 /etc/securetty - Run the following command to restart the SSH service:
Note: run the
service sshd restart
command to restart the SSH service before CentOS 7.systemctl restart sshd.service
Documentation
For more exception SSH services, see the following documents.
- Guidelines for troubleshooting failed remote logon to Linux instances and overview of SSH principles
Application scope
- ECS