Skip to content
Products
Platform
Developer Tools
Portal

Recover access to your VM or do emergency troubleshooting

In case you lose your SSH key and your password or the server cannot boot, you still have the option to recover your VM.

Prerequisites

Section titled “Prerequisites”

Linux operating system: Every linux distribution uses another default user name and the ssh daemon name differs for EL- and Debian-derivatives. Please, see Operating system images.

Recover access to your Linux VM

Section titled “Recover access to your Linux VM”

Reboot your VM from the web console.
Screenshot of a virtual machine management panel showing a dropdown menu with actions. The VM is labeled "VM-1" and is "Online." The dropdown menu is open, and the 'Reboot' action is highlighted, indicated by a cursor pointing to it, suggesting a user is about to click or select this option to restart the virtual machine.

Go to the STACKIT Portal and access the web console:
Screenshot of a virtual machine management panel showing a dropdown menu with actions. The VM is labeled "VM-1" and is "Online." The dropdown menu is open, and the 'Web console' action is highlighted, indicated by a cursor pointing to it, suggesting a user is about to click or select this option to open the console access.

You will see your VM booting, press the Send CtrlAltDel button in the upper right corner.
Screenshot of a black terminal window displaying the login prompt for a successful text-based boot. The header text shows 'Ubuntu 22.04 LTS server3 tty1', and the prompt reads 'server3 login: _', indicating the virtual machine has finished booting and is ready for a user to log in.

Press the arrow keys or press and hold Shift during loading Grub. If you boot using BIOS or if system boots using UEFI, press Esc to stop grub’s menu timeout - it is quite short. If you miss the moment, just press Send CtrlAltDel again.
You should see something like this:

Press up and down.

Select the latest (uppermost) menu entry.

Screenshot of the GNU GRUB version 2.06 boot loader menu. The main options visible are 'Ubuntu' (highlighted) and 'Advanced options for Ubuntu.' At the bottom, text instructs the user: "Use the $\uparrow$ and $\downarrow$ keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting or 'c' for a command-line."

Now edit your menu (press the letter e on the keyboard) that will allow you to edit the menu.

You will see something like this:
Screenshot of the GNU GRUB version 2.06 boot loader edit screen, showing the boot commands for the Ubuntu entry. The text displays a sequence of commands, including setparams 'Ubuntu', load_video, gfxmode $linux_gfx_mode, insmod ext2, and the linux and initrd lines specifying the kernel path (/boot/vmlinuz-5.15.0-41-generic) and boot parameters. The bottom text explains the editing controls: "Minimum Emacs-like screen editing is supported. TAB lists completions. Press Ctrl-x or F10 to boot, Ctrl-c or F2 for a command-line or ESC to discard edits and return to the GRUB menu."

Now scroll down (use the arrow keys) to the line that starts with linux, linux16, or linuxefi according to the different distributions:
Screenshot of the GNU GRUB version 2.06 boot loader edit screen. It shows the commands for the Ubuntu entry, specifically after an edit to the linux and initrd lines. The command lines are partially visible, showing the kernel path and a modification where the initrd command is now on a separate line below the linux command. This represents an intermediate step in modifying the boot parameters.

Now go to the end of this line and delete everything after ro, then change ro to rw and after that, add init=/bin/bash. For servers based on Fedora, you need to keep rootflags=subvol=root which is located after ro , for example rw rootflags=subvol=root init=/bin/bash.

A screenshot of the GNU GRUB version 2.06 bootloader menu, showing the commands used to configure the boot process. The central white box displays lines including: recordfail, load_video, insmod part_gpt, insmod ext2, a long search command, the linux command line loading vmlinuz-5.15.0-41-generic and setting init=/bin/bash, and the initrd command line. This screen is typically used to edit boot parameters for recovery or advanced troubleshooting.

Now hold the Ctrl button on the keyboard and press x. The system will start to boot.
It will reach something similar to:
A console screenshot showing part of the Linux boot sequence and recovery shell access. The top lines show kernel messages (RAID/Btrfs operations), followed by status messages like Begin: Running /scripts/init-premount ... done. and warnings like Warning: fsck not present, so skipping root file system. The sequence concludes with a key error message: bash: cannot set terminal process group (-1): Inappropriate ioctl for device in this shell, immediately followed by the root shell prompt: root@(none):/#, indicating the user has been dropped into an emergency or recovery shell.

Now, you can do emergency troubleshooting or just recover your access to the server by entering the following in your console (copy and paste doesn’t work):

Terminal window
passwd root

Now change the root password, which you will use to log in.
For security reasons, you will change the root password later!
A minimal Linux console screenshot demonstrating a successful root password change. The prompt is root@(none):/#. The command passwd root is entered, followed by prompts for New password: and Retype new password:, and finally the confirmation message: passwd: password updated successfully.

Repeat the step above for default users of your distribution.

Now you need to temporarily allow logging in via password. We will change that at a later stage.
Open /etc/ssh/sshd_config.

Terminal window
vi /etc/ssh/sshd\_config

Find the line that looks like:

#PasswordAuthentication yes

Once the indicator is ontop the # sign, press x to delete that character.
Press the following sequence of keys: Esc, :, w, q, Enter.
This sequence will save your modifications.

Verify your changes

Section titled “Verify your changes”
Terminal window
sshd -t

A Linux terminal screenshot showing an error while checking the SSH daemon configuration. The command sshd -t is run, and the output shows: /etc/ssh/sshd_config: line 63: Bad configuration option: 1PasswordAuthentication followed by /etc/ssh/sshd_config: terminating, 1 bad configuration options. This indicates a configuration error on line 63 of the sshd_config file due to a misspelled or invalid option.

Good output looks like:
A Linux terminal screenshot showing a successful check of the SSH daemon configuration. The command sshd -t is run, and the output is a new, blank command prompt ([root@vm-1-fq4tx0z0 ~]#), indicating no configuration errors were found.

Restart the sshd daemon.
This daemon controls remote access to the linux server.

Terminal window
systemctl restart sshd

On EL-based systems (like CentOS), the daemon is called sshd, while on debian and derivatives, it’s called ssh.

Now, if your server is based on the Red Hat family (such as CentOS, CentOS Stream, Fedora, AlmaLinux, Rocky Linux), you need to “relabel” SELinux security with the command touch /.autorelabel. If your server is based on the Debian family (such as Debian, Ubuntu), you don’t need that. After that, reboot the server with the command exec /sbin/init 6.

touch /.autorelabel exec /sbin/init 6

Now you should be able to ssh with your password. Use the password you created:

Terminal window
ssh centos@4.159.97.5 Warning: Permanently added '4.159.97.5' (ECDSA) to the list of known hosts. centos@4.159.97.5's password: X11 forwarding request failed on channel 0 Last login: Thu May 21 09:15:14 2020 from 4.159.97.30 [centos@vm-1-fq4tx0z0 \~]$

Edit your authorized_keys to allow your new ssh key.

Terminal window
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMbC29mO0j9NnjTt/eSNQuwX0XPcFT77Fg20wUKCHFyJrC+yldMja8EEEo+LY2HRgu5mzDHdKG9nHW2yGtPt1kUfz6Icck/Of5uT5G9139IKdDd1VxdqDOKKQq6e+3cbtLe0JvAdEG/B7M0nIkpguVX2T2Lojsi7xF3sHjrg7vjYeFWmoBjWl7tilgu0eXTHFdmKvCJ05qjgU5OwXitE8YtxKd/iifs0YACan3PCFX4P4vAe/oBjmaIW2qCLaBTEI2COMl6/EVaIhiudplTFJV4ebbbidwhXkGWj8o0mMEv7umgIsU3Fv4UoUQ0fU7ZxqReApIBGLtKL6rG7NntTD6r6ROrh5VXfJfWRXQgBh+S/Ei9gvRBeu0qzqEiSIyIWT14+RsXjDuGBRch2GZmGjres7XEqtCRvpnDJ6A1gS8NFeHr9GcATUbBhS45iFCuDTvFfNgI7ydyOfWlB+/D8fvrfgXH7k1r5291oiNonVTmYkF3sDVWGmRvFoyZcSqBxftok4TCD9vEmqg7Uqa0eAkYIxyxffNmzUgY3UrxRLD+IyUFAoaXKMtkuxE5KrrBYSweIOa5pCvbJOjX/yP7R5SumvEOEJMSiu0bdd5UsP6ed8omax6FWcp3g+P4PMRMbaM/aMowAE+02TizdJ+PDfWD1+f6W4XMZHHyfwsfTeLKw== someuser@MYPC' >> \~/.ssh/authorized\_keys

Verify access via key. It should log you in without password.

Undo your changes in the sshd config file.
As we are now able to copy / paste in the shell (not the web console), you can run:

Terminal window
sudo sed -i 's/PasswordAuthentication yes/#PasswordAuthentication no/' /etc/ssh/sshd\_config

Again, verify your changes and restart sshd if no errors are detected:

Terminal window
sshd -t systemctl restart sshd

Fix SELinux (CentOS and derivatives):

Terminal window
touch /.autorelabel restorecon -RFvv /etc/shadow restorecon -RFvv /etc/ssh/sshd\_config setenforce 1

Now set the user’s passwords to something random:

Terminal window
cat /dev/urandom | tr -dc 'A-Za-z0-9!"#$%&'\\''()*+,-./:;<=>?@[\\]^\_`{|}\~' | head -c 25 | passwd --stdin root cat /dev/urandom | tr -dc 'A-Za-z0-9!"#$%&'\\''()*+,-./:;<=>?@[\\]^\_`{|}\~' | head -c 25 | passwd --stdin centos

Reboot:

Terminal window
reboot