All Products
Search
Document Center

Elastic Compute Service:What do I do if the "Permission denied, please try again" error message appears when I connect to a Linux instance from an SSH client?

最終更新日:Jul 03, 2024

This topic describes the causes of and solutions to the issue that the "Permission denied, please try again" error message appears when you connect to a Linux Elastic Compute Service (ECS) instance from an SSH client.

Problem description

When you connect to a Linux ECS instance from an on-premises SSH client, error messages that are similar to the following error messages appear even if you enter the correct password:

  • Permission denied, please try again.

  • The SSH server rejected your password. Try again.

Causes

The preceding issue may be caused by the following reasons:

  • Reason 1: The PermitRootLogin or PasswordAuthentication parameter in the /etc/ssh/sshd_config configuration file of the Linux ECS instance is set to no to deny logons by the root user or password-based logons. For information about how to resolve the issue, see the Solution if the issue is caused by Reason 1 section of this topic.

    • If the PermitRootLogin parameter is set to no, logons by the root user are denied.

    • If the PasswordAuthentication parameter is set to no, password-based logons are denied, but key-based logons are allowed.

  • Reason 2: SELinux is enabled on the Linux ECS instance. If SELinux is enabled on a Linux ECS instance, an error may occur when you attempt to connect to the instance as the root user or a regular user.

    Run the cat /var/log/secure command to query the secure log. If the secure log contains error: Could not get shadow information for root., SELinux is enabled. For information about how to resolve the issue, see Solution if the issue is caused by Reason 2.

Solution if the issue is caused by Reason 1

  1. Connect to the ECS instance by using Virtual Network Computing (VNC).

    For more information, see Connect to an instance by using VNC.

  2. Check the value of the PermitRootLogin or PasswordAuthentication parameter in the /etc/ssh/sshd_config file.

    cat /etc/ssh/sshd_config

    The command output shown in the following figure is returned. In the command output, the PermitRootLogin and PasswordAuthentication parameters are set to no, which indicates that logons by the root user and password-based logons are denied.

    image

  3. Change the values of the PermitRootLogin and PasswordAuthentication parameters based on your business requirements.

    1. Open the SSH configuration file.

      vi /etc/ssh/sshd_config
    2. Change the values of the PermitRootLogin and PasswordAuthentication parameters.

      • To allow logons by the root user, set the PermitRootLogin parameter to yes.

      • To allow password-based logons, set the PasswordAuthentication parameter to yes.

        image

    3. Press the Esc key and enter :wq to save the changes.

  4. Run the following command to restart the SSH service:

    systemctl restart sshd.service

Solution if the issue is caused by Reason 2

You can temporarily or permanently disable SELinux based on your business requirements to resolve the issue.

Check the status of SELinux

  1. Connect to the ECS instance by using VNC.

    For more information, see Connect to an instance by using VNC.

  2. Run the following command to view the status of SELinux:

    /usr/sbin/sestatus -v 

    Sample output:

    SELinux status:       enabled
    Note

    Valid values:

    • enabled: SELinux is enabled.

    • disabled: SELinux is disabled.

Temporarily disable SELinux

Important

If you temporarily disable SELinux, the setting for disabling SELinux becomes invalid after the ECS instance is restarted.

  1. Connect to the ECS instance by using VNC.

    For more information, see Connect to an instance by using VNC.

  2. Run the following command to temporarily disable SELinux:

    setenforce 0

Permanently disable SELinux

  1. Connect to the ECS instance by using VNC.

    For more information, see Connect to an instance by using VNC.

  2. Run the following command to permanently disable SELinux:

    sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
    Note

    You can use the preceding command only if SELinux is in the enforcing state.

  3. Restart the ECS instance for the configuration to take effect. For more information, see Restart an instance.