Introduction
This article aims to provide some things to check when a specific administrator or analyst is unable to SSH as root into your server.
Note: This article assumes that you have at least some level of root access to the server, such as SSH, WHM, or console. If you have WHM access, you can use the WHM Terminal To Access the Command-Line to complete the document's steps. If you cannot access the server at all, it would be best to reach out to your hosting provider or datacenter (see also, Can cPanel reset a lost password?, What should I do if I lost my root password? and How do I identify my hosting provider?)
Procedure
While attempting to access the command line, one might encounter an error like this:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
The words in the parenthesis show the authentication types that are allowed by the server. If "password" is missing from this list, you can deduct that password authentication is disabled.
If the correct password is used, or the correct SSH key is authorized for root, and you can access SSH, use the cPhulkd command-line tools to whitelist the IP you are connecting from to prevent further blocks. The following command can be used by replacing the example($IP) with your actual IP address.
/usr/local/cpanel/scripts/cphulkdwhitelist $IP
If the client IP address is whitelisted already and should be authorized, the next thing to check would be the "secure" log that logs all authentication and authorization privileges.
You can either tail the last X number of lines (like 30) of the log, or tail it with the follow (-f) flag to watch it in real-time while attempting to SSH. For example:
tail -n30 /var/log/secure
To tail the log live:
tail -n0 -f /var/log/secure
The output of one of these commands might give you more information on why the authentication isn't working.
This leads to the next step in troubleshooting this type of issue, which is to check the SSH daemon configuration. Run the following command as root to get all of the currently configured SSH options:
egrep -v '^$|^#' /etc/ssh/sshd_config
Here's an example of output from that command:
PasswordAuthentication yes
PermitRootLogin no
As you can see here, root logins are disabled. This is generally done for security reasons, as we advise that you should do this (see: How can I secure SSH access to my server?). So, with that in mind, if you see "PermitRootLogin no," that explains why the person trying to access root cannot log in. You will need to either provide them with a wheel user, or edit the configuration to temporarily allow root logins (PermitRootLogin yes), then restart SSH.
If you are unsure about what a setting in /etc/ssh/sshd_config means, you can consult the man page for the configuration file by running the following command:
man /etc/ssh/sshd_config
The SSH server must be restarted to load any changes made to this file. To restart SSH on the command-line, run this command as root:
/usr/local/cpanel/scripts/restartsrv_sshd
If you are unfamiliar with the root command-line experience, you might consider having a qualified systems administrator review your configuration changes before restarting the service. For a list of systems administrators, review System Administration Services.
We have a few other related articles that have specific errors and causes that you might find and how to solve them:
SSH: "Permission Denied" Authentication refused: bad ownership or modes for directory /root/.ssh
How to enable or disable PasswordAuthentication in SSH
The "The system failed to lock the immutable" error