Recover Access When Password Authentication Fails
This guide provides solutions for issues related to password-based SSH authentication.
Unable to SSH Due to Password Loss
If a Linux instance uses password-based SSH login (instead of key pairs) and the password is lost, SSH access is no longer possible. In this case, you must create a new instance and use a user script to recover access.
Permission denied (password).
▶️ Solution
This guide is based on OpenAPI, but the same tasks can also be performed in the Kakao Cloud Console. Complete the prerequisites in Getting Started with OpenAPI before proceeding.
This recovery process is divided into 5 steps, each with its purpose, required parameters, sample requests/responses, and configuration notes. Be sure to replace all values with those specific to your environment.
Step 1. Retrieve Information of the Existing Instance
Use the Get instance OpenAPI to obtain instance ID, root volume ID, instance type, security group, key pair, etc.
Request
curl -X GET 'https://bcs.kr-central-2.kakaocloud.com/api/v1/instances/$(INSTANCE_ID)' \
-H 'Accept: application/json' \
-H 'X-Auth-Token: $(API_TOKEN)'
Information to retrieve from the response
| Information | Response Body Field |
|---|---|
| Instance ID | instance.id |
| Root Volume ID | instance.attached_volumes.id (with is_root=true) |
| Root Volume Size | instance.attached_volumes.size (with is_root=true) |
| Instance Type ID | instance.flavor.id |
| Security Group Name | instance.security_groups.name |
| Key Pair Name | instance.key_name |
| Availability Zone | instance.availability_zone |
Step 2. Create Image from the Instance
Create an image using Create image OpenAPI.
If an image is created from a running instance, data in memory may not be fully written to disk, potentially causing data inconsistency. It is recommended to stop the instance before creating an image.
Request
curl -X POST 'https://volume.kr-central-2.kakaocloud.com/api/v1/volumes/$(ROOT_VOLUME_ID)/image' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'X-Auth-Token: $(API_TOKEN)' \
-d '{
"image": {
"name": "$(IMAGE_NAME)",
"description": "$(IMAGE_DESC)"
}
}'
Information to retrieve
| Information | Response Body Field |
|---|---|
| Image ID | image.id |
Step 3. Write a User Script
If SSH access is lost due to password loss, you can use a user_data script during instance creation to configure SSH access again.
Scripts are executed at the first boot of an instance and must be provided as a Base64-encoded string (max 16 KB).
Choose one of the following recovery methods based on your instance OS:
Option 1: Enable public key login via key pair
Create a shell script that modifies sshd_config to enable PubkeyAuthentication, and restart the SSH daemon.
#!/bin/bash
CONFIG_FILE="/etc/ssh/sshd_config"
BACKUP_FILE="/etc/ssh/sshd_config.bak"
cp "$CONFIG_FILE" "$BACKUP_FILE"
if grep -qE '^[[:space:]]*PubkeyAuthentication[[:space:]]+' "$CONFIG_FILE"; then
sed -i 's/^[[:space:]]*PubkeyAuthentication[[:space:]]\+.*/PubkeyAuthentication yes/' "$CONFIG_FILE"
else
echo "PubkeyAuthentication yes" >> "$CONFIG_FILE"
fi
sudo systemctl restart sshd
Encode to Base64:
base64 < keypair-setting.sh | tr -d '\n'
Option 2: Set a new password
Create a shell script to reset the password and update SSH config to allow password login.
#!/bin/bash
USERNAME="ubuntu"
PASSWORD="InitPassword123!"
if id "$USERNAME" &>/dev/null; then
echo "$USERNAME:$PASSWORD" | sudo chpasswd
fi
CONF_FILE="/etc/ssh/sshd_config.d/50-cloud-init.conf"
if [ -f "$CONF_FILE" ]; then
sed -i 's/^PasswordAuthentication\s\+no/PasswordAuthentication yes/' "$CONF_FILE"
fi
sudo systemctl restart sshd
Encode to Base64:
base64 < passwd-setting.sh | tr -d '\n'
Step 4. Create a New Instance from the Image
Use the Create instance OpenAPI with the image and user_data to launch a new instance.
Request
curl -X POST 'https://bcs.kr-central-2.kakaocloud.com/api/v1/instances' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'X-Auth-Token: ${API_TOKEN}' \
-d '{
"instance": {
"name": "${INSTANCE_ID}",
"description": "${INSTANCE_DESC}",
"count": 1,
"image_id": "${IMAGE_ID}",
"flavor_id": "${FLAVOR_ID}",
"availability_zone": "${AZ}",
"subnets": [
{
"id": "${SUBNET_ID}"
}
],
"volumes": [
{
"is_delete_on_termination": true,
"size": ${VOLUME_SIZE},
"source_type": "image",
"uuid": "${IMAGE_ID}",
"type_id": "${VOLUME_TYPE_ID}"
}
],
"key_name": "${KEY_NAME}",
"security_groups": [
{
"name": "${SG_NAME}"
}
],
"user_data": "${BASE_64}"
}
}'
| 변수 | 설명 |
|---|---|
| API_TOKEN🖌︎ | API authentication token |
| INSTANCE_ID🖌︎ | New instance name |
| INSTANCE_DESC🖌︎ | Instance description |
| IMAGE_ID🖌︎ | Image ID created in Step 2 |
| FLAVOR_ID🖌︎ | Instance flavor ID |
| AZ🖌︎ | Availability zone to create the instance in |
| SUBNET_ID🖌︎ | Subnet ID |
| VOLUME_SIZE🖌︎ | Volume size, set the same as the original instance's root volume |
| VOLUME_TYPE_ID🖌︎ | Volume type ID |
| KEY_NAME🖌︎ | Key pair name |
| SG_NAME🖌︎ | Security group name |
| BASE_64🖌︎ | Base64-encoded script content |
- To get the Subnet ID: List subnets OpenAPI
- To get the Volume Type ID: List volume types OpenAPI
Step 5. Verify SSH Access to the New Instance
After the new instance has finished booting, attempt to connect via SSH to ensure it is functioning properly.
# If using a key pair
ssh -i ${pem-key-file} ${username}@${server-ip}
# If using the password reset option
ssh ${username}@${server-ip}
Password-based SSH Authentication Not Working
Even if PasswordAuthentication is enabled, password-based SSH login might still not work.
This is because the setting for password-based authentication is often overridden by configuration files located in the /etc/ssh/sshd_config.d/ directory, which take precedence over the main /etc/ssh/sshd_config file.
Therefore, when modifying SSH authentication settings, you must check and update both locations to ensure the configuration is applied correctly.