ssh root access denied after changing shell
Solution 1
I found a solution in another Forum. For all people with the same problem, perhaps this approach can help as well:
My provider changed the root password and tried the "chsh -s /bin/bash root" which didn't work, because the password was not accepted and the following error occured: "chsh: PAM authentication failed".
dave_mystic gave the solution:
The real problem is in /etc/pam.d/chsh. In that file, the line which prevents users from changing back to a normal shell after being assigned a special shell appears before the line that authorizes all changes from the root.
Unfortunately, the following line was firing first, disallowing a change because the users shell was NOT in the list of available shells. The authorization line from me being 'root' via sudo never fired because it was never checked after the first line fired.
auth required pam_shells.so
The solution was to temporarily comment out the line in /etc/pam.d/chsh, change the users shell to the correct shell, and then remove the comment in the line.
Source: http://ubuntuforums.org/showthread.php?t=1702833
So i commented out the mentioned line and after that i was able to change the shell.
Solution 2
- Always use
vipw
to edit /etc/passwd, andvipw -s
to edit /etc/shadow. - Check that the shells you're trying to use are listed in /etc/shells.
- Check that SElinux is not set to 'enforcing' in /etc/selinux/config. Change it to 'permissive' or 'disabled'. [requires reboot]
- When you want to try a new shell don't log out to test it. Start up an additional SSH session or tty, and leave the current one running in case you f*ck it up.
- Check your logs for errors relevant to the login process that might indicate what else is wrong.
If you still can't fix it on your own, then contact your hosting provider. They will either know how to fix it inside of 10 minutes, or you should find a better host.
tobias b.
Updated on September 18, 2022Comments
-
tobias b. over 1 year
after i tried to change my server shell, i cannot login as root anymore.
First, i installed the z-shell (zsh) as root and then i wanted to change it to my default shell. Therefore i used "chsh". My fault was, that i typed in a wrong path. After logout and new login via Putty, i got the message "Access denied".
It was foreseeable, when the path to the shell doesn't exist. So i logged in into my control panel, and changed the /etc/passwd file via filemanager: I corrected the wrong last part of the first line - the root user:
root:x:0:0:root:/root:/usr/bin/zsh
Even if i change it to the old shell /bin/bash or /bin/sh it doesn't work. I read that passwd & shadow are no live-files, so i restarted the server, but still same problem
Any ideas, what else i could do?
OS: Debian 5 + Parallels Plesk 11
-
Hennes about 11 yearsCan you ssh or sudo and execute a command? ( /bin/sh would be a good command )
-
tobias b. about 11 yearsNo, sadly not. Until now, there was just the root user (from my side) and other users from parallels plesk i can't use. I'm only able to edit files using the file manager in the control panel.
-
Daniel t. about 11 yearsDo you have console access to the server? If so, try booting it into
single user mode
, and then do the troubleshooting. start withchsh -s /bin/bash root
-
tobias b. about 11 yearssee comment above: no console access.
-
tobias b. about 11 yearsI think i found the problem in auth.log:
Feb 20 21:10:59 <VPS> sshd[5678]: Failed password for invalid user root from <IP> port <PORT> ssh2 Feb 20 21:11:00 <VPS> sshd[5751]: User root not allowed because shell /bin/sh\r does not exist
Sine i've edited the /etc/passwd via the web editor, the "\r" shouldn't be there.
-
-
Hennes about 11 years+1 for the "don't log out to test it."
-
tobias b. about 11 yearsIndeed very good hints! I will keep them in mind next time. I'm pretty sure that the check of the auth log file provided the error: 'User root not allowed because shell /bin/sh\r does not exist' But i'm not sure how to edit this, because of the limited possibilities. One solution might be to contact my hosting provider (as you said) to let them help me. Maybe one last stupid question: Would it help to access the editor from a linux system instead of windows? Or is there no difference, because of the access via http?
-
Sammitch about 11 years@tobiasb. it's a tossup whether or not it would work or not via a Linux-based browser. It could be Windows sending a
\r\n
through the web interface, or it could be the WYSIWYG using\r\n
for all line breaks. Can't hurt to try. -
Sammitch about 11 years@Hennes sadly, most of us don't learn about this one until after we do it.
-
Hennes about 11 yearsAye. Or until someone sitting next to you messes it up and thus teaches by example. In my case I was the lucky fellow.
-
tobias b. about 11 yearsI wrote an Email to my Provider. First, i asked them to delete the "\r" in the passwd, but they answared that there is no \r in that line. Second, i asked them to execute "chsh -s /bin/bash root". There, they had to enter a password. They entered the root password, but got the message "chsh: PAM authentication failed" They changed the root password and tried it again, same problem. What could it be? Where is the problem?