All Products
Search
Document Center

"Permission denied, please try again" error occurs when you log on to a Linux instance through SSH as the root user

Last Updated: Apr 27, 2022

Disclaimer: This topic may contain information about third-party products. The information is for reference only. Alibaba Cloud does not make a guarantee in any form of the performance and reliability of the third-party products, and potential impacts of operations on these products.

Overview

When you use the root user to log on to a Linux instance through SSH, the "Permission denied, please try again" error is reported. This topic describes how to solve this problem.

Description

Take note of the following items:

  • Before you perform high-risk operations such as modifying the specifications or data of an Alibaba Cloud instance, we recommend that you check the disaster recovery and fault tolerance capabilities of the instance to ensure data security.
  • Before you modify the specifications or data of an Alibaba Cloud instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backups for the instance. For example, you can enable log backups for an ApsaraDB RDS instance.
  • If you have granted specific users the permissions on sensitive information, such as usernames and passwords, or submitted sensitive information in the Alibaba Cloud Management Console, we recommend that you modify the sensitive information at the earliest opportunity.

When you use SSH to log on to a Linux ECS instance, if you are the root user, even if you enter the correct password, an error message similar to the following appears.

Note: Non-root users can log on normally, and root users can log on normally through the management terminal.

  • Permission denied, please try again.

  • The SSH server rejected the password. Please try again.

Please check the secure log. If it contains the following error message, the problem is usually caused by the SELinux service enabled on the system. For more information, see Solution to problems caused by SELinux. For more information, see Troubleshooting caused by disabling root user logon.

error: Could not get shadow infromation for root.

Solution to the problem caused by prohibiting root user login

Tip:

  • The Linux configurations and descriptions in this topic have been tested in CentOS 6.5 64-bit operating systems. The operating system configurations of other types and versions may vary. For more information, see the official documentation of the corresponding release.
  • Relevant policies can improve the security of the server. Ask the user to tradeoff security and ease of use before determining whether relevant configurations need to be modified.

Perform the following steps to check and modify the configurations:

  1. Log on to the Linux ECS instance through the management terminal.

  1. Run commands such as cat to check whether the /etc/ssh/sshd_config configuration file contains similar configurations as follows.

    PermitRootLogin no

    Note: The following table describes this parameter.

    • If this parameter is not configured (by default), or the value of this parameter is configured as "yes", the root user is allowed to log in. The root user login is prohibited only when the value of this parameter is set to "no".

    • This parameter only affects the SSH logon of the root user. It does not affect other methods such as the management terminal for the root user to log on to the system.

  1. Using editors such as vi, set the parameter value to "yes", or delete the parameter, or comment (add an "#" at the beginning) the entire line configuration. For example:# PermitRootLogin yes.
    Note: We recommend that you back up the configuration file before you modify it.
  2. Run the following command to restart the SSH service:

    service sshd restart
  3. Try logging in to the server again with the root user.
  4. If the problem persists, you can see Elastic Compute Service Linux SSH failure for further troubleshooting.

The solution to the problem caused by the SELinux service.

You can choose to temporarily or permanently disable the SELinux service to resolve SSH connection exception based on the requirements of the on-site environment.

Check the SELinux service status

  1. Log on to the Linux instance through the management terminal, and run the following command to view the current SELinux service status:
    /usr/sbin/sestatus -v 
    If an output similar to the following one is returned, one of the solutions is applicable to your system kernel version:
    SELinux status:       enabled
    Tip: If the SELinux status parameter is enabled, it is on, and if it is disabled, it is off.

Temporarily disable the SELinux service

Log on to the Linux instance and run the following command to temporarily disable SELinux:

Note: Temporarily modify the SELinux service status. If the SELinux service status takes effect in real time, you do not need to restart the system or instance.

setenforce 0

Disable SELinux services permanently

Log on to the Linux instance and run the following command to permanently disable the SELinux service:

Note: To permanently modify the SELinux service status, you must restart the system or instance to take effect.

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

Tip: This command is only applicable when the current SELinux service is in the enforcing state.

Applicable scope

  • Elastic Compute Service (ECS)