This topic describes the causes of and solutions to the issue that the "Permission denied, please try again" error message appears when you connect to a Linux Elastic Compute Service (ECS) instance from an SSH client.
Problem description
When you connect to a Linux ECS instance from an on-premises SSH client, error messages that are similar to the following error messages appear even if you enter the correct password:
Permission denied, please try again.
The SSH server rejected your password. Try again.
Causes
The preceding issue may be caused by the following reasons:
Reason 1: The
PermitRootLoginorPasswordAuthenticationparameter in the/etc/ssh/sshd_configconfiguration file of the Linux ECS instance is set tonoto deny logons by the root user or password-based logons. For information about how to resolve the issue, see the Solution if the issue is caused by Reason 1 section of this topic.If the
PermitRootLoginparameter is set tono, logons by the root user are denied.If the
PasswordAuthenticationparameter is set tono, password-based logons are denied, but key-based logons are allowed.
Reason 2: SELinux is enabled on the Linux ECS instance. If SELinux is enabled on a Linux ECS instance, an error may occur when you attempt to connect to the instance as the root user or a regular user.
Run the
cat /var/log/securecommand to query the secure log. If the secure log containserror: Could not get shadow information for root., SELinux is enabled. For information about how to resolve the issue, see Solution if the issue is caused by Reason 2.
Solution if the issue is caused by Reason 1
Connect to the ECS instance by using Virtual Network Computing (VNC).
For more information, see Connect to an instance by using VNC.
Check the value of the
PermitRootLoginorPasswordAuthenticationparameter in the/etc/ssh/sshd_configfile.cat /etc/ssh/sshd_configThe command output shown in the following figure is returned. In the command output, the
PermitRootLoginandPasswordAuthenticationparameters are set tono, which indicates that logons by the root user and password-based logons are denied.
Change the values of the
PermitRootLoginandPasswordAuthenticationparameters based on your business requirements.Open the SSH configuration file.
vi /etc/ssh/sshd_configChange the values of the
PermitRootLoginandPasswordAuthenticationparameters.To allow logons by the root user, set the
PermitRootLoginparameter toyes.To allow password-based logons, set the
PasswordAuthenticationparameter toyes.
Press the Esc key and enter
:wqto save the changes.
Run the following command to restart the SSH service:
systemctl restart sshd.service
Solution if the issue is caused by Reason 2
You can temporarily or permanently disable SELinux based on your business requirements to resolve the issue.
Check the status of SELinux
Connect to the ECS instance by using VNC.
For more information, see Connect to an instance by using VNC.
Run the following command to view the status of SELinux:
/usr/sbin/sestatus -vSample output:
SELinux status: enabledNoteValid values:
enabled: SELinux is enabled.
disabled: SELinux is disabled.
Temporarily disable SELinux
If you temporarily disable SELinux, the setting for disabling SELinux becomes invalid after the ECS instance is restarted.
Connect to the ECS instance by using VNC.
For more information, see Connect to an instance by using VNC.
Run the following command to temporarily disable SELinux:
setenforce 0
Permanently disable SELinux
Connect to the ECS instance by using VNC.
For more information, see Connect to an instance by using VNC.
Run the following command to permanently disable SELinux:
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/configNoteYou can use the preceding command only if SELinux is in the
enforcingstate.Restart the ECS instance for the configuration to take effect. For more information, see Restart an instance.