NSX Appliance SSH Root Login Fails with Access Denied despite the ssh service running and root login being enabled
search cancel

NSX Appliance SSH Root Login Fails with Access Denied despite the ssh service running and root login being enabled

book

Article ID: 375479

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • SSH access with root login may not have been enabled when initially deploying NSX.

  • When attempting to establish an SSH, SCP, or SFTP connection to an NSX-T Manager or Edge node using the root account, the connection is rejected with an "Access Denied" error.



  • As the admin user, executing command:  get service ssh  shows root login value enabled and the SSH "service state" as running.



  • The behavior is often observed shortly after an upgrade to NSX 4.2.x from an earlier version.

  • This issue is predominantly seen in appliances upgraded from versions prior to 4.2 where legacy configuration files are preserved. Fresh installations of 4.2 or above and nodes utilizing SSH key-based authentication are generally unaffected.

  • The  PermitRootLogin entry is commented out in the /etc/ssh/sshd_config file on the affected NSX appliance, as in the following screenshot:



    • This can be checked by running command:   grep -i passwordauthentication /etc/ssh/sshd_config
       
      • The working configuration would show   PasswordAuthentication  yes

Cause

Starting with NSX 4.2.x, the underlying SSH daemon strictly enforces the /etc/ssh/sshd_config directives. The legacy management-plane toggle for 'root-login' no longer overrides the PermitRootLogin directive if it is explicitly set to prohibit-password or commented out."

Resolution

  1. Log in to the NSX-T manager console as root

  2. Edit the SSH service's configuration file:

    1. Open the file for editing by executing:  
      vi /etc/ssh/sshd_config

       

    2. Modify the configuration:

      1. Locate the line: "#PermitRootLogin prohibit-password" 

      2. Replace the line with: "PermitRootLogin yes"
        ^After opening a file with vi, type the letter "i" to enable "Insert" mode where changes can be made. When finished, hit the Esc key to end Insert mode again. *As seen at the bottom of the vi page:



    3. Save the updated configuration. 
      ^While not in Insert mode, type a colon (":") followed by "wq" (means write quit) and hit Enter.



      *to exit without applying changes, use "q!" instead. 

  3. Restart the SSH service:

    • Execute the command:  
      /etc/init.d/ssh restart


*Note: If root login still fails you may need to enable root login after restarting SSH

  • As the admin user, execute: 
    set ssh root-login

 

Additional Information

Also refer to (KB 324233) Enable ssh root access for NSX appliances

Powered by Wolken Software