Note:
- This document is a general instructional guide only for reference.
- Perform the file operations with caution. You can create a snapshot or use other methods to back up data when necessary.
During login to a Linux instance using SSH key, a message indicating that the connection is unavailable or failed appears.
Check below for the solutions for common SSH login errors.
Login to a Linux instance via SSH key fails, and a message similar to the following appears in the secure
log of the client or server:
The login is restricted by the user login control parameters.
NoteThe Deny policy takes priority over the Allow policy.
sshd_config
as instructed in Stepssshd_config
configuration file with VIM editor.vim /etc/ssh/sshd_config
#
) at the beginning of each line to comment them out.AllowUsers root test
DenyUsers test
DenyGroups test
AllowGroups root
systemctl restart sshd.service
service sshd restart
When logging in via SSH key, the following error message appears:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
sshd[10826]: Connection closed by xxx.xxx.xxx.xxx.
Disconnected:No supported authentication methods available.
SSH service modifies the PasswordAuthentication
parameter and disables the password login.
sshd_config
as instructed in StepsPasswordAuthentication
parameter and restart the SSH service.sshd_config
configuration file with VIM editor.vim /etc/ssh/sshd_config
PasswordAuthentication no
to PasswordAuthentication yes
.systemctl restart sshd.service
service sshd restart
When logging in via SSH key, the error message "ssh_exchange_identification: read: Connection reset by peer" or as shown below appears:
The common causes are as follows:
Check the access policy, firewall rules, sshd configuration, and network environment as instructed in Steps
In Linux, the allowed and denied access policy are respectively set in the /etc/hosts.allow
and /etc/hosts.deny
files. You can set the trusted hosts in the hosts.allow
file, and deny all other hosts in the hosts.deny
file. The Deny policy can be set as follows:
in.sshd:ALL # Deny all SSH connections
in.sshd:218.64.87.0/255.255.255.128 # Deny SSH connections ranging from 218.64.87.0 to -127.
ALL:ALL # Deny all TCP connections
Log in to the Linux instance via VNC and check the /etc/hosts.deny
and /etc/hosts.allow
files:
NoteIf no access policy is configured, both files will be empty by default and all connections are allowed.
Check whether the iptables firewall rules are modified, for example, by the anti-intrusion software (such as Fail2ban, denyhost, etc.). Run the following command to check whether the firewall denies SSH connections.
sudo iptables -L --line-number
sshd_config
configuration file with VIM editor.vim /etc/ssh/sshd_config
MaxStartups
value, which specifies the maximum number of connections allowed. If many connections are required to establish in a short period, adjust the value as needed.NoteThis parameter specifies the maximum number of unauthenticated concurrent connections the SSH daemon allows. The default value is
MaxStartups 10:30:100
, which means to allow the first ten unauthenticated connections, refuse connection attempts with a probability of 30%, and reject all new connections when there are 100 connections.
service sshd restart
If the SSH login error persists, it may be caused by kernel exceptions or other unknown reasons. In this case, please submit a ticket.
When the root user logs in to a Linux instance via SSH key, the "Permission denied, please try again" error message appears.
This is because that the SELinux service is enabled, or the SSH service modifies the PermitRootLogin
configuration.
Check the configuration of SELinux service and the PermitRootLogin
parameter in sshd_config
as instructed in Steps.
/usr/sbin/sestatus -v
enabled
as shown below is returned, the service is enabled. The disabled
response indicates that the service is disabled.SELinux status: enabled
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
Note
- This command is only applicable to the SELinux service in the
enforcing
status.- After running the command, restart the system or instance for the modification to take effect.
sshd_config
configuration file with VIM editor.vim /etc/ssh/sshd_config
PermitRootLogin no
to PermitRootLogin yes
.sshd_config
, the root user is allowed to log in by default.service sshd restart
The error message "Too many authentication failures for root" is returned and the connection is interrupted after many failed attempts to enter the password to login via SSH key.
I was requested to reset the SSH service password after consecutive failed password entry.
sshd_config
as instructed in StepsMaxAuthTries
parameter for the password reset policy, and restart the SSH service.sshd_config
configuration file with VIM editor.vim /etc/ssh/sshd_config
MaxAuthTries 5
Note
- This parameter is not enabled by default. It specifies the number of consecutive incorrect password attempts for each SSH key login, and displays the error message. However, the account will not be locked, which can be used for another SSH key login.
- Determine whether a modification is required. If so, we recommend you back up the
sshd_config
configuration file.
#
) at the beginning of the line to comment it out.MaxAuthTries <number of incorrect password attempts allowed>
service sshd restart
When the SSH service is started in a Linux instance, an error message similar to the following is displayed in the secure
log or directly returned:
This is because that the relevant system library files the SSH service depends on are lost or have an exception, such as the permission configuration exception.
Check and fix the system library files as instructed in Steps.
NoteThe following example guides you through resolving a
libcrypto.so.10
library file exception.
libcrypto.so.10
library file information.ll /usr/lib64/libcrypto.so.10
/usr/lib64/libcrypto.so.10
is the soft link of the libcrypto.so.1.0.2k
library file.lrwxrwxrwx 1 root root 19 Jan 19 2021 /usr/lib64/libcrypto.so.10 -> libcrypto.so.1.0.2k
libcrypto.so.1.0.2k
library file information.ll /usr/lib64/libcrypto.so.1.0.2k
-rwxr-xr-x 1 root root 2520768 Dec 17 2020 /usr/lib64/libcrypto.so.1.0.2k
libcrypto.so.1.0.2k
file.find / -name libcrypto.so.1.0.2k
cp <absolute path of the library file obtained in the step 1> /usr/lib64/libcrypto.so.1.0.2k
chmod 755 /usr/lib64/libcrypto.so.1.0.2k
chown root:root /usr/lib64/libcrypto.so.1.0.2k
ln -s /usr/lib64/libcrypto.so.1.0.2k /usr/lib64/libcrypto.so.10
service sshd start
libcrypto.so.1.0.2k
library file of a normal CVM to the \tmp
directory of the target CVM using FTP.Note
\tmp
is used in this example. You can replace with the actual directory.
cp /tmp/libcrypto.so.1.0.2k /usr/lib64/libcrypto.so.1.0.2k
chmod 755 /usr/lib64/libcrypto.so.1.0.2k
chown root:root /usr/lib64/libcrypto.so.1.0.2k
ln -s /usr/lib64/libcrypto.so.1.0.2k /usr/lib64/libcrypto.so.10
service sshd start
You can roll back the system disk snapshot of the instance to recover the library file. For more information, please see Rolling Back Snapshots.
Note
- Note that snapshot rollback will cause loss of data stored after the snapshot creation.
- We recommend you roll back to snapshots one by one from the latest to the earliest till the SSH service resumes. If the SSH service still cannot run properly after the rollback, the system at that point in time has been abnormal.
When the SSH service is started in a Linux instance, an error message similar to the following is directly returned or appears in the secure
log:
FAILED.
fatal: Cannot bind any address.
address family must be specified before ListenAddress.
Incorrect configuration of AddressFamily
. This parameter specifies the protocol suite used at runtime. If only IPv6 is configured here, but the IPv6 is not enabled or invalidly configured in the system, this problem may occur.
sshd_config
as instructed in StepsAddressFamily
parameter and restart the SSH service.sshd_config
configuration file with VIM editor.vim /etc/ssh/sshd_config
AddressFamily inet6
The common parameters are described as follows:#
) at the beginning of the line to comment it out.AddressFamily inet
NoteThe
AddressFamily
parameter takes effect only after being configured beforeListenAddress
.
service sshd restart
Then you can log in to the Linux CVM instance via SSH key normally.When the SSH service is started in a Linux instance, an error message similar to the following is directly returned or appears in the secure
log:
/etc/ssh/sshd_config: line 2: Bad configuration options:\\
/etc/ssh/sshd_config: terminating, 1 bad configuration options
This is caused by the incorrect encoding or configuration of the configuration file.
Fix the sshd_config
configuration file as instructed below.
If the error message tells the incorrect configuration, modify /etc/ssh/sshd_config
with VIM editor by referring to the correct configuration file of another instance.
/etc/ssh/sshd_config
library file of a normal CVM to the \tmp
directory of the target CVM using FTP.Note
\tmp
is used in this example. You can replace with the actual directory.
cp /tmp/sshd_config /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config
chown root:root /etc/ssh/sshd_config
service sshd start
rpm -e openssh-server
yum install openssh-server
service sshd start
You can roll back the system disk snapshot of the instance to recover the library file. For more information, please see Rolling Back Snapshots.
Note
- Note that snapshot rollback will cause loss of data stored after the snapshot creation.
- We recommend you roll back to snapshots one by one from the latest to the earliest till the SSH service resumes. If the SSH service still cannot run properly after the rollback, the system at that point in time has been abnormal.
Login or data transfer via SSH key over the private network in a Linux instance is slow, and after switch to the private network, the problem persists.
This may be because that the UseDNS feature of the SSH service is enabled. This feature is a security enhancement, which is not enabled by default. After it is enabled, the server will first perform a reverse DNS PTR record query based on the client IP to get the client's host name, then perform a forward DNS A record query based on the client's host name, and finally compare whether the obtained IP is the same as the original IP so as to prevent client frauds.
In general, the client uses a dynamic IP, and there is no corresponding PTR record; therefore, after this feature is enabled, no comparison can be made, and the relevant query operations increase the delay, eventually leading to slow client connection.
sshd_config
as instructed in Stepssshd_config
configuration file with VIM editor.vim /etc/ssh/sshd_config
UseDNS yes
#
) at the beginning of the line to comment it out.service sshd restart
Then you can log in to the Linux CVM instance via SSH key normally.Login to a Linux instance via SSH key fails, and an error message similar to the following may appear in the secure
log of the client or server:
Usually, this is because that the relevant key file of the SSH service is exceptional, so the sshd daemon cannot load the correct SSH host key. Common causes include the following:
Check and modify the configuration as instructed below.
The SSH service will check the permission of the relevant key file. For example, the default permission of a private key file is 600
, and if other permissions such as 777
are configured, then other users also have permissions to read or modify the file. In this case, the SSH service will deem that the configuration involves security risks, which causes client connection failures. The troubleshooting process is as follows:
Run the following commands to restore the default permission of the relevant file.
cd /etc/ssh/
chmod 600 ssh_host_*
chmod 644 *.pub
Run the ll
command to view the file permission. If the following result is returned, the file permission is normal.
total 156
-rw-------. 1 root root 125811 Nov 23 2013 moduli
-rw-r--r--. 1 root root 2047 Nov 23 2013 ssh_config
-rw------- 1 root root 3639 May 16 11:43 sshd_config
-rw------- 1 root root 668 May 20 23:31 ssh_host_dsa_key
-rw-r--r-- 1 root root 590 May 20 23:31 ssh_host_dsa_key.pub
-rw------- 1 root root 963 May 20 23:31 ssh_host_key
-rw-r--r-- 1 root root 627 May 20 23:31 ssh_host_key.pub
-rw------- 1 root root 1675 May 20 23:31 ssh_host_rsa_key
-rw-r--r-- 1 root root 382 May 20 23:31 ssh_host_rsa_key.pub
The SSH service will automatically rebuild a lost key file upon start. Run the following commands to check for the ssh_host_*
file.
cd /etc/ssh/
ll
If the following result is returned, the ssh_host_*
file exists.total 156
-rw-------. 1 root root 125811 Nov 23 2013 moduli
-rw-r--r--. 1 root root 2047 Nov 23 2013 ssh_config
-rw------- 1 root root 3639 May 16 11:43 sshd_config
-rw------- 1 root root 672 May 20 23:08 ssh_host_dsa_key
-rw-r--r-- 1 root root 590 May 20 23:08 ssh_host_dsa_key.pub
-rw------- 1 root root 963 May 20 23:08 ssh_host_key
-rw-r--r-- 1 root root 627 May 20 23:08 ssh_host_key.pub
-rw------- 1 root root 1675 May 20 23:08 ssh_host_rsa_key
-rw-r--r-- 1 root root 382 May 20 23:08 ssh_host_rsa_key.pub
Run the following command to delete the relevant file.
rm -rf ssh_host_*
On Ubuntu or Debian, run the following command to delete the relevant file.sudo rm -r /etc/ssh/ssh*key
Run the ll
command to check whether the file has been deleted successfully. If the following result is returned, it has been deleted successfully.
total 132
-rw-------. 1 root root 125811 Nov 23 2013 moduli
-rw-r--r--. 1 root root 2047 Nov 23 2013 ssh_config
-rw------- 1 root root 3639 May 16 11:43 sshd_config
Run the following command to restart the SSH service, and the relevant file will be generated automatically.
service sshd restart
On Ubuntu or Debian, run the following command to restart the SSH service.sudo dpkg-reconfigure openssh-server
Run the ll
command to check whether the ssh_host_*
file has been generated successfully. If the following result is returned, it has been generated successfully.
total 156
-rw-------. 1 root root 125811 Nov 23 2013 moduli
-rw-r--r--. 1 root root 2047 Nov 23 2013 ssh_config
-rw------- 1 root root 3639 May 16 11:43 sshd_config
-rw------- 1 root root 668 May 20 23:16 ssh_host_dsa_key
-rw-r--r-- 1 root root 590 May 20 23:16 ssh_host_dsa_key.pub
-rw------- 1 root root 963 May 20 23:16 ssh_host_key
-rw-r--r-- 1 root root 627 May 20 23:16 ssh_host_key.pub
-rw------- 1 root root 1671 May 20 23:16 ssh_host_rsa_key
-rw-r--r-- 1 root root 382 May 20 23:16 ssh_host_rsa_key.pub
Log in to the instance via SSH key. For more information, please see Logging into Linux Instance via SSH Key.When the SSH service is started on a Linux instance, the "must be owned by root and not group or word-writable" error message is returned.
Usually, this is because that the relevant permission or grouping of the SSH service is exceptional. For security reasons, the service has certain requirements for the permission configuration and grouping of directories or files.
Check and modify the incorrect configuration as instructed below.
/var/empty/sshd
directory/etc/securetty
fileNoteThis document uses CentOS 7.6 as an example. Please proceed based on the actual business conditions.
/var/empty/sshd
directory/var/empty/sshd
directory.ll -d /var/empty/sshd/
The following is the default permission configuration.drwx--x--x. 2 root root 4096 Aug 9 2019 /var/empty/sshd/
NoteThe
/var/empty/sshd
directory has the permission711
and is a root user in the root group by default.
chown -R root:root /var/empty/sshd
chmod -R 711 /var/empty/sshd
systemctl restart sshd.service
/etc/securetty
file/etc/securetty
file.ll /etc/securetty
The following is the default permission configuration.-rw-------. 1 root root 255 Aug 5 2020 /etc/securetty
NoteThe
/etc/securetty
file has the permission600
and is a root user in the root group by default.
chown root:root /etc/securetty
chmod 600 /etc/securetty
systemctl restart sshd.service
Log in to the instance via SSH key. For more information, please see Logging into Linux Instance via SSH Key.Login to a Linux instance via SSH key fails, and the following error message appears:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ae:6e:68:4c:97:a6:91:81:11:38:8d:64:ff:92:13:50.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:70
RSA host key for x.x.x.x has changed and you have requested strict checking.
Host key verification failed.
The host key of `X.X.X.X` (port: XX) is not the same as the one saved in the host key database. The host key has been changed or someone is attempting to eavesdrop this connection. If you are not sure, we recommend you cancel this connection.
After the Linux instance is reinstalled, changes in the account information lead to the change in the SSH public key, so the public key fingerprint saved on the client is not the same as that saved on the server, resulting in SSH authentication failure and denied login.
Fix the problem as instructed below based on the operating system of the client.
NoteThis document uses PuTTY as an SSH client example. Please proceed based on the actual conditions.
NoteThis document uses CentOS 6.5 as an operating system example of the Linux instance. As the steps may vary by operating system, please proceed based on the actual conditions.
known_hosts
file of the corresponding account.vi ~/.ssh/known_hosts
1.14.xxx.xx
skowcenw96a/pxka32sa....
dsaprgpck2wa22mvi332ueddw...
Login to a Linux instance via SSH key fails with the correct password entered. When this problem occurs, login in the console and via SSH key may both fail, or only one of them can succeed. An error message similar to the following appears in the secure
log:
The relevant access control policy of the PAM module (pam_listfile.so) causes the user login to fail.
Pluggable Authentication Module (PAM) is an authentication mechanism proposed by Sun. It provides some dynamic link libraries and a set of unified APIs to separate a system service from its authentication method. This allows the system admin to flexibly configure different authentication methods for different services as needed without modifying service programs and add new authentication methods to the system easily.
Each application with the PAM module enabled has a configuration file named after it in the /etc/pam.d
directory; for example, the configuration file of the login
command is /etc/pam.d/login
, where you can configure specific policies. For more information on pam_listfile
, please see pam_listfile - deny or allow services based on an arbitrary file.
Check and repair the PAM module as instructed in Steps.
NoteThe steps in this document are for CentOS 6.5 as an example. As the steps may vary by operating system, please proceed based on the actual conditions.
cat
command to view the corresponding PAM configuration file as described below:File | Feature Description |
---|---|
/etc/pam.d/login | Configuration file of the console (VNC) |
/etc/pam.d/sshd | Configuration file of SSH login |
/etc/pam.d/system-auth | Global configuration file of the system |
auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
Description:#
) at the beginning of the line to comment it out.NoteThe relevant policy configuration can improve the server security. We recommend you back up the configuration before modifying it as needed.
# auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
Login to a Linux instance via SSH key fails with the correct username and password entered. When this problem occurs, login in the console and via SSH key may both fail, or only one of them can succeed. An error message similar to the following appears in the secure
log:
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root".
The policy configuration of the PAM module bans users with a UID of below 1000
from logging in.
Check and repair the PAM module as instructed in Steps.
NoteThe steps in this document are for CentOS 6.5 as an example. As the steps may vary by operating system, please proceed based on the actual conditions.
cat
command to view the corresponding PAM configuration file as described below:File | Feature Description |
---|---|
/etc/pam.d/login | Configuration file of the console (VNC) |
/etc/pam.d/sshd | Configuration file of SSH login |
/etc/pam.d/system-auth | Global configuration file of the system |
auth required pam_succeed_if.so uid >= 1000
#
) at the beginning of the line to comment it out. We recommend you back up the configuration before modifying it as needed.auth required pam_succeed_if.so uid <= 1000 # Modify the policy
# auth required pam_succeed_if.so uid >= 1000 # Comment out the relevant configuration
During login to a Linux instance via SSH key, the "Maximum amount of failed attempts was reached" error message appears.
Entering incorrect passwords several consecutive times triggered the policy restriction of the PAM module, causing the user account to be locked.
NoteFor more information on PAM, please see pam_tally2 - login counter (tallying) module.
Please proceed based on the actual conditions as instructed below:
NoteThe steps in this document are for CentOS 7.6 and 6.5 as an example. As the steps may vary by operating system, please proceed based on the actual conditions.
cat /etc/pam.d/system-auth
cat /etc/pam.d/login
cat /etc/pam.d/sshd
#
) at the beginning of the line to comment it out. This document uses commenting the configuration out as an example. After the modification, the relevant configuration is as shown below:#auth required pam_tally2.so deny=3 unlock_time=5
#auth required pam_tally.so onerr=fail no_magic_root
#auth requeired pam_tally2.so deny=5 lock_time=30 unlock_time=10 even_deny_root root_unlock_time=10
Description:pam_tally2
module is used here; if it is not supported, use the pam_tally
module. The settings may vary by PAM version. For more information on how to use a specific module, please see the corresponding rules.pam_tally2
and pam_tally
modules can be used for account lockout policy control. They differ in that the former has the automatic unlock time feature.even_deny_root
indicates to restrict the root user.deny
indicates to set the maximum number of consecutive incorrect login attempts for general users and root users. After it is exceeded, the user will be locked.unlock_time
indicates to unlock general users after they are locked for a specified period of time in seconds.root_unlock_time
indicates to unlock root users after they are locked for a specified period of time in seconds.pam_tally2 -u root # View the number of consecutive incorrect password attempts made by the root user
pam_tally2 -u root -r # Clear the number of consecutive incorrect password attempts made by the root user
authconfig --disableldap --update # Update the PAM authentication record
Login to a Linux instance via SSH key fails, and a message similar to the following is displayed in the secure
log:
login: Module is unknown.
login: PAM unable to dlopen(/lib/security/pam_limits.so): /lib/security/pam_limits.so: cannot open shared object file: No such file or directory.
Each application with the PAM module enabled has a configuration file named after it in the /etc/pam.d
directory; for example, the configuration file of the login
command is /etc/pam.d/login
, where you can configure specific policies as shown below:
File | Feature Description |
---|---|
/etc/pam.d/login | Configuration file of the console (VNC) |
/etc/pam.d/sshd | Configuration file of SSH login |
/etc/pam.d/system-auth | Global configuration file of the system |
Check and repair the configuration file as instructed in Steps.
NoteThis document discusses the
/etc/pam.d/sshd
and/etc/pam.d/system-auth
files. If/etc/pam.d/login
is exceptional, please submit a ticket for assistance.
cat [absolute path of the corresponding PAM configuration file]
Check for the configuration similar to what is shown below. The file path is /lib/security/pam_limits.so
.session required pam_limits.so
/lib/security/pam_limits.so
path is incorrect.ll /lib/security/pam_limits.so
pam_limits.so
module. The correct path should be /lib64/security
on a 64-bit Linux instance. The modified configuration information should be as shown below:session required /lib64/security/pam_limits.so
The "fatal: mm_request_send: write: Broken pipe" error message is displayed due to an SSH service exception caused by a virus.
This may be because that viruses such as udev-fall affect the normal execution of the SSH service.
Fix the virus issue based on actual conditions as instructed below.
This document uses the udev-fall virus as an example. You can temporarily make the SSH service work normally as instructed below.
ps aux | grep udev-fall
kill -9 [virus process ID]
chkconfig udev-fall off
for i in ` find / -name "udev-fall"`;
do echo '' > $i && rm -rf $i;
done
systemctl restart sshd.service
As it is unclear whether the virus or intruder has made other changes to the system or hides other virus files, to ensure the long-term stable operations of the server, we recommend you restore the server to its normal state by rolling back the system disk snapshot of the instance. For more information, please see Rolling Back Snapshots.
Note
- Note that snapshot rollback will cause loss of data stored after the snapshot creation.
- We recommend you roll back to snapshots one by one from the latest to the earliest till the SSH service resumes. If the SSH service still cannot run properly after the rollback, the system at that point in time has been abnormal.
When the SSH service is started by the service
or systemctl
command on a Linux instance, the command line does not return any error message, but the service cannot run properly, and an error message similar to the following is displayed in the secure
log:
sshd.service: main process exited, code=exited, status=203/EXEC.
init: ssh main process (1843) terminated with status 255.
Usually, this is because that configuration of the PATH
environment variable is exceptional or the relevant files of the SSH software package are removed.
Check and repair the PATH
environment variable or reinstall the SSH software package as instructed in Steps.
NoteThe steps in this document are for CentOS 6.5 as an example. As the steps may vary by operating system, please proceed based on the actual conditions.
echo $PATH
PATH
environment variable with its default value as shown below:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
If the returned value of the PATH
environment variable is not the same as the default value, you need to run the following command to reset it.export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
find / -name sshd
/usr/sbin/sshd
service sshd restart
Log in to the instance via SSH key. For more information, please see Logging into Linux Instance via SSH Key.During login to a Linux instance via SSH key, the following error message is returned:
-bash: fork: retry: Resource temporarily unavailable.
pam_limits(sshd:session): could not sent limit for 'nofile':operaton not permitted.
Permission denied.
Usually, this is because that the number of currently opened shell processes or files exceeds the ulimit system environment limit of the server.
Modify the limits.conf
file to permanently change the ulimit system environment limit based on the operating system version as instructed in Steps.
Note
- Since CentOS 6, the
X-nproc.conf
file is used to manage the ulimit system environment limits. The steps for versions below and above CentOS 6 are differentiated here. The prefix number of theX-nproc.conf
file varies by system version; for example, it is90-nproc.conf
on CentOS 6 and20-nproc.conf
on CentOS 7. Please proceed based on the actual environment.- This document uses CentOS 7.6 and CentOS 5 as an example. Please proceed based on the actual business conditions.
cat /etc/security/limits.conf
Description:soft
, hard
, and -
. soft
is the <value> of the current system that has taken effect.hard
is the maximum <value> set in the system.soft
cannot be greater than that of hard
. -
indicates to set the values of soft
and hard
at the same time.core
limits the kernel file size.rss
is the maximum resident set size.nofile
is the maximum number of opened files.noproc
is the maximum number of processes.limits.conf
file to comment out, modify, or delete the resource type code limited by the noproc
or nofile
parameter.limits.conf
file before modifying it.cp -af /etc/security/limits.conf /root/limits.conf_bak
cat /etc/security/limits.d/20-nproc.conf
If the returned result is as shown below, system resource limits have been enabled and the maximum number of connection processes allowed for all users except root users is 4,096./etc/security/limits.d/20-nproc.conf
file as instructed in Below CentOS 6. We recommend you back up the file before doing so.Login to a Linux instance via SSH key fails with the correct username and password entered. An error message similar to the following is directly returned or appears in the secure
log:
Usually, this is because that the default shell of the corresponding user is modified.
Check and repair the default shell configuration of the corresponding user as instructed in Steps.
cat /etc/passwd | grep test
If a message similar to the following is returned by the system, the shell of the test user has been changed to nologin
.test:x:1000:1000::/home/test:/sbin/nologin
/etc/passwd
file. We recommend you back up the file before doing so.vim /etc/passwd
/sbin/nologin
to /bin/bash
.
Was this page helpful?