edit-icon download-icon

How to troubleshoot failed remote logon to ECS Linux SSH

Last Updated: Mar 05, 2018

Note: This document is based on CentOS 6.5 64 bit, configurations for other Linux operating systems may be different. Always see official documentation of relevant operating systems.

Note: For Linux ECS, SSH client is the primary channel for O&M. Management terminals can be used for emergency O&M, or troubleshooting in case of exceptions during client logon.

Possible logon failure causes

See the following figure for client loging on to Linux ECS instance:

SSH_logon

Possible cause Analysis

Client issue

Try another different SSH client to test logon using the same account information. If the test logon succeeds, it can conclude that the client configuration has issues and you must troubleshoot client configuration or software operation.
For more information about the Linux ECS instance logon process, see Logon to Instance.

Intermediate network issue

Run telnet <Server IP> <SSH server port>, for example, telnet 192.168.0.1 22 to telnet the port for a test, find out if the issue is caused by an intermediate network exception. Normally the SSH software version number for the server side will be returned as shown in the following figure:
symptom1
If the port test fails, see the following documents to further troubleshoot networks between the client and the server:
- Link test for ping packet loss or ping failure
- Port availability detection for pingable but unreachable ports

PAM security framework issues

The PAM security framework of Linux systems supports loading related security modules for access control over server account policies and logon policies. The configuration is abnormal or a related policy is triggered.

Linux environment configuration issues

If an exception occurs to the Linux system environment (such as virus attacks, account configuration and environment variable configuration), it may also lead to an SSH logon failure.

SSH service and parameter configuration issues

The default configuration file for SSH service is /etc/ssh/sshd_config. If an exception in related configuration parameters exist in the configuration file, or a related feature or policy is activated, it may also lead to an SSH logon failure.

SSH service associated directory or file configuration issues

For the sake of security, SSH service will check the permission configuration and groups of related directories or files during runtime. Overly high or overly low permission configuration may both lead to service operation exceptions, and further to a client logon failure.

SSH service key configuration issues

SSH service uses asymmetric encryption to encrypt transmitted data. The client and the server will exchange and verify validity of relevant key information.

Troubleshooting steps for SSH logon failure

You can follow these steps for detailed troubleshooting:

  1. Compare and test on multiple clients:

    1. Use different SSH clients and the management terminal to conduct comparative access tests.
    2. Identify whether the problem is caused by the configuration of an individual client or it is an individual software operation issue.
    3. If logon by using the management terminal is normal, use the management terminal to access the instance for further inspection.
  2. Test network connectivity, see the preceding Intermediate network issue instructions.

  3. Get server logs:

    1. Use the management terminal to access the instance.
    2. Run tailf /var/log/secure to get related log information on the instance synchronously during access re-tests on the client.
  4. Get client logs: run the following code block to get the detailed SSH logon interactive logs:

    1. ```shell
    2. ssh -vvv <Sever IP>
    3. For example:
    4. [root@centos~]# ssh -vvv 192.168.0.1
    5. OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    6. debug1: Reading configuration data /etc/ssh/ssh_config
    7. debug1: Applying options for *
    8. debug2: ssh_connect: needpriv 0
    9. debug1: Connecting to 192.168.0.1 [192.168.0.1] port 22.
    10. debug1: connect to address 192.168.0.1 port 22: Connection timed out
    11. ssh: connect to host 192.168.0.1 port 22: Connection timed out
    12. ```
  5. Check SSH service running state:

    1. Use the management terminal to access the instance.
    2. Run the following code block to check the running state of the SSH service and corresponding process PID:
      1. [root@centos ~]# service sshd status
      2. openssh-daemon (pid 31350) is running...
      3. [root@centos ~]# service sshd restart
      4. Stopping sshd: [ OK ]
      5. Starting sshd: [ OK ]
    3. Run the following code block to check the service listening state and the corresponding port listening information:
      1. netstat -ano | grep 0.0.0.0:22
      2. tcp 0 0 0.0.0.0:22 0.0.0.0:*
      3. LISTEN off (0.00/0/0)
    4. Use the Management terminals to access the instance, and run ssh 127.0.0.1 to test logon. If the logon succeeds, it can infer that the exception was caused by the firewall or an external security group policy.

If the problem persists, record the test results of the preceding steps and relevant log information or screenshots, and open a ticket to contact Alibaba Cloud.

Thank you! We've received your feedback.