What should I do if the error "Access denied" is displayed?

1. Problem phenomenon

When a third-party SSH client logs in to a Linux instance, an "Access denied" error is displayed. Execute cat /var/log/secure to view the login log, and you will find information similar to the following.

Permission denied, please try again.

User test from 192.168.xxx.xxx not allowed because not listed in AllowUsers.

User test from 192.168.xxx.xxx not allowed because listed in DenyUsers.

User root from 192.168.xxx.xxx not allowed because a group is listed in DenyGroups.

User test from 192.168.xxx.xxx not allowed because none of user's groups are listed in AllowGroups.

2. The cause of the problem

This problem is usually caused by the user login control parameters enabled in the SSH remote login configuration file (/etc/ssh/sshd_config) in the ECS instance, which restricts the login users. The user login control parameters are described as follows.

• AllowUsers: the white list of users allowed to log in, only the users marked by this parameter can log in.

• DenyUsers: The blacklist of users who are denied login, all users marked by this parameter are denied login.

• AllowGroups: white list of user groups allowed to log in, only the user groups marked by this parameter can log in.

• DenyGroups: The blacklist of user groups that are denied login. The user groups marked by this parameter are all denied login.

Deny policies have higher priority than allow policies, as detailed below.

• If the AllowUsers and DenyUsers parameters contain the same user, the deny policy takes precedence, so the user cannot log in.

• If the user in AllowUsers is in the DenyGroups user group, the user cannot log in because the deny policy takes precedence.

3. Solutions

You can modify the user login control parameters in the SSH remote login configuration file (/etc/ssh/sshd_config) to solve this problem.

3.1 Log in to the ECS instance using VNC.

3.2 Execute the following command to view the sshd_config file.

cat /etc/ssh/sshd_config

The system displays something similar to the following, indicating that the login of the test user is rejected.

AllowUsers root test
DenyUsers test
DenyGroups test
AllowGroups root

3.3 Modify user login control parameters.

a. Open the SSH configuration file.

vi /etc/ssh/sshd_config

b. Modify user login control parameters according to business needs.

As shown below, add # before the policy configuration to cancel user access control to ensure that relevant users can log in normally.

#AllowUsers root test
#DenyUsers test
#DenyGroups test
#AllowGroups root

c. Press the Esc key and enter: wq to save the modification.

3.4 Execute the following command to restart the SSH service.

systemctl restart sshd.service

3.5 Log in to the Linux instance again to ensure that you can log in normally.