ssh root access denied after changing shell

debian shell root passwd

7,250

Solution 1

I found a solution in another Forum. For all people with the same problem, perhaps this approach can help as well:

My provider changed the root password and tried the "chsh -s /bin/bash root" which didn't work, because the password was not accepted and the following error occured: "chsh: PAM authentication failed".

dave_mystic gave the solution:

The real problem is in /etc/pam.d/chsh. In that file, the line which prevents users from changing back to a normal shell after being assigned a special shell appears before the line that authorizes all changes from the root.

Unfortunately, the following line was firing first, disallowing a change because the users shell was NOT in the list of available shells. The authorization line from me being 'root' via sudo never fired because it was never checked after the first line fired.

auth required pam_shells.so

The solution was to temporarily comment out the line in /etc/pam.d/chsh, change the users shell to the correct shell, and then remove the comment in the line.

Source: http://ubuntuforums.org/showthread.php?t=1702833

So i commented out the mentioned line and after that i was able to change the shell.

Solution 2

Always use vipw to edit /etc/passwd, and vipw -s to edit /etc/shadow.
Check that the shells you're trying to use are listed in /etc/shells.
Check that SElinux is not set to 'enforcing' in /etc/selinux/config. Change it to 'permissive' or 'disabled'. [requires reboot]
When you want to try a new shell don't log out to test it. Start up an additional SSH session or tty, and leave the current one running in case you f*ck it up.
Check your logs for errors relevant to the login process that might indicate what else is wrong.

If you still can't fix it on your own, then contact your hosting provider. They will either know how to fix it inside of 10 minutes, or you should find a better host.

7,250

Author by

tobias b.

Updated on September 18, 2022

Comments

tobias b. over 1 year

after i tried to change my server shell, i cannot login as root anymore.

First, i installed the z-shell (zsh) as root and then i wanted to change it to my default shell. Therefore i used "chsh". My fault was, that i typed in a wrong path. After logout and new login via Putty, i got the message "Access denied".

It was foreseeable, when the path to the shell doesn't exist. So i logged in into my control panel, and changed the /etc/passwd file via filemanager: I corrected the wrong last part of the first line - the root user:

root:x:0:0:root:/root:/usr/bin/zsh

Even if i change it to the old shell /bin/bash or /bin/sh it doesn't work. I read that passwd & shadow are no live-files, so i restarted the server, but still same problem

Any ideas, what else i could do?

OS: Debian 5 + Parallels Plesk 11
- Hennes about 11 years
  
  Can you ssh or sudo and execute a command? ( /bin/sh would be a good command )
- tobias b. about 11 years
  
  No, sadly not. Until now, there was just the root user (from my side) and other users from parallels plesk i can't use. I'm only able to edit files using the file manager in the control panel.
- Daniel t. about 11 years
  
  Do you have console access to the server? If so, try booting it into single user mode, and then do the troubleshooting. start with chsh -s /bin/bash root
- tobias b. about 11 years
  
  see comment above: no console access.
- tobias b. about 11 years
  
  I think i found the problem in auth.log: Feb 20 21:10:59 <VPS> sshd[5678]: Failed password for invalid user root from <IP> port <PORT> ssh2 Feb 20 21:11:00 <VPS> sshd[5751]: User root not allowed because shell /bin/sh\r does not exist Sine i've edited the /etc/passwd via the web editor, the "\r" shouldn't be there.
Hennes about 11 years

+1 for the "don't log out to test it."
tobias b. about 11 years

Indeed very good hints! I will keep them in mind next time. I'm pretty sure that the check of the auth log file provided the error: 'User root not allowed because shell /bin/sh\r does not exist' But i'm not sure how to edit this, because of the limited possibilities. One solution might be to contact my hosting provider (as you said) to let them help me. Maybe one last stupid question: Would it help to access the editor from a linux system instead of windows? Or is there no difference, because of the access via http?
Sammitch about 11 years

@tobiasb. it's a tossup whether or not it would work or not via a Linux-based browser. It could be Windows sending a \r\n through the web interface, or it could be the WYSIWYG using \r\n for all line breaks. Can't hurt to try.
Sammitch about 11 years

@Hennes sadly, most of us don't learn about this one until after we do it.
Hennes about 11 years

Aye. Or until someone sitting next to you messes it up and thus teaches by example. In my case I was the lucky fellow.
tobias b. about 11 years

I wrote an Email to my Provider. First, i asked them to delete the "\r" in the passwd, but they answared that there is no \r in that line. Second, i asked them to execute "chsh -s /bin/bash root". There, they had to enter a password. They entered the root password, but got the message "chsh: PAM authentication failed" They changed the root password and tried it again, same problem. What could it be? Where is the problem?