Disclaimer: This topic may contain information about third-party products. The information is for reference only. Alibaba Cloud does not make a guarantee in any form of the performance and reliability of the third-party products, and potential impacts of operations on these products.
When you use the root user to log on to a Linux instance through SSH, the "Permission denied, please try again" error is reported. This topic describes how to solve this problem.
Take note of the following items:
- Before you perform high-risk operations such as modifying the specifications or data of an Alibaba Cloud instance, we recommend that you check the disaster recovery and fault tolerance capabilities of the instance to ensure data security.
- Before you modify the specifications or data of an Alibaba Cloud instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backups for the instance. For example, you can enable log backups for an ApsaraDB RDS instance.
- If you have granted specific users the permissions on sensitive information, such as usernames and passwords, or submitted sensitive information in the Alibaba Cloud Management Console, we recommend that you modify the sensitive information at the earliest opportunity.
When you use SSH to log on to a Linux ECS instance, if you are the root user, even if you enter the correct password, an error message similar to the following appears.
Note: Non-root users can log on normally, and root users can log on normally through the management terminal.
Permission denied, please try again.
- The SSH server rejected the password. Please try again.
Please check the secure log. If it contains the following error message, the problem is usually caused by the SELinux service enabled on the system. For more information, see Solution to problems caused by SELinux. For more information, see Troubleshooting caused by disabling root user logon.
error: Could not get shadow infromation for root.
Solution to the problem caused by prohibiting root user login
- The Linux configurations and descriptions in this topic have been tested in CentOS 6.5 64-bit operating systems. The operating system configurations of other types and versions may vary. For more information, see the official documentation of the corresponding release.
- Relevant policies can improve the security of the server. Ask the user to tradeoff security and ease of use before determining whether relevant configurations need to be modified.
Perform the following steps to check and modify the configurations:
Log on to the Linux ECS instance through the management terminal.
Run commands such as cat to check whether the
/etc/ssh/sshd_configconfiguration file contains similar configurations as follows.
Note: The following table describes this parameter.
If this parameter is not configured (by default), or the value of this parameter is configured as "yes", the root user is allowed to log in. The root user login is prohibited only when the value of this parameter is set to "no".
This parameter only affects the SSH logon of the root user. It does not affect other methods such as the management terminal for the root user to log on to the system.
- Using editors such as vi, set the parameter value to "yes", or delete the parameter, or comment (add an "#" at the beginning) the entire line configuration. For example:
# PermitRootLogin yes.
Note: We recommend that you back up the configuration file before you modify it.
Run the following command to restart the SSH service:
service sshd restart
- Try logging in to the server again with the root user.
- If the problem persists, you can see Elastic Compute Service Linux SSH failure for further troubleshooting.
The solution to the problem caused by the SELinux service.
You can choose to temporarily or permanently disable the SELinux service to resolve SSH connection exception based on the requirements of the on-site environment.
Check the SELinux service status
- Log on to the Linux instance through the management terminal, and run the following command to view the current SELinux service status:
/usr/sbin/sestatus -vIf an output similar to the following one is returned, one of the solutions is applicable to your system kernel version:
SELinux status: enabled
Tip: If the
SELinux statusparameter is
enabled, it is on, and if it is
disabled, it is off.
Temporarily disable the SELinux service
Log on to the Linux instance and run the following command to temporarily disable SELinux:
Note: Temporarily modify the SELinux service status. If the SELinux service status takes effect in real time, you do not need to restart the system or instance.
Disable SELinux services permanently
Log on to the Linux instance and run the following command to permanently disable the SELinux service:
Note: To permanently modify the SELinux service status, you must restart the system or instance to take effect.
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
Tip: This command is only applicable when the current SELinux service is in the
- Elastic Compute Service (ECS)