All Products
Search

This Product

    :An SSH remote connection exception occurs in a Linux instance because the SELinux service is enabled

    Document Center

    :An SSH remote connection exception occurs in a Linux instance because the SELinux service is enabled

    Last Updated:Apr 27, 2022

    Issue

    When you connect to a Linux instance in SH, the following error message appears in the command line or secure log even after the password is entered correctly.

    Permission denied, please try again.
    error: Could not get shadow infromation for root.

    Cause

    This problem is usually caused by the SELinux service enabled on the system.

    Solution

    Take note of the following items:

    • Before you perform high-risk operations such as modifying the specifications or data of an Alibaba Cloud instance, we recommend that you check the disaster recovery and fault tolerance capabilities of the instance to ensure data security.
    • Before you modify the specifications or data of an Alibaba Cloud instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backups for the instance. For example, you can enable log backups for an ApsaraDB RDS instance.
    • If you have granted specific users the permissions on sensitive information, such as usernames and passwords, or submitted sensitive information in the Alibaba Cloud Management Console, we recommend that you modify the sensitive information at the earliest opportunity.

    You can choose to temporarily or permanently disable the SELinux service to resolve SSH connection exception based on the requirements of the on-site environment.

    Check the SELinux service status

    1. Log on to the Linux instance through the management terminal, and run the following command to view the current SELinux service status: 
      /usr/sbin/sestatus -v 
      If an output similar to the following one is returned, one of the solutions is applicable to your system kernel version: 
      SELinux status:       enabled
      Tip: If the SELinux status parameter is enabled, it is on, and if it is disabled, it is off.

    Temporarily disable the SELinux service

    Log on to the Linux instance and run the following command to temporarily disable SELinux:

    Note: Temporarily modify the SELinux service status. If the SELinux service status takes effect in real time, you do not need to restart the system or instance.

    setenforce 0

    Disable SELinux services permanently

    Log on to the Linux instance and run the following command to permanently disable the SELinux service:

    Note: To permanently modify the SELinux service status, you must restart the system or instance to take effect.

    sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

    Tip: This command is only applicable when the current SELinux service is in the enforcing state.

    Applicable scope

    • Elastic Compute Service (ECS)