Recovering SSH Access to an Oracle Linux 7 Instance

The default security configuration for the Oracle Linux 6.9 and 7.4 images released between December 18, 2017 and April 5, 2018 requires that credential rotation occur within 90 days. If you do not rotate credentials in the 90 day time frame, access to the instance will be denied. For more information, see Security Configurations Require Credential Rotation after 90 days.

If access to your Oracle Linux 7 instance is denied, and you are unable to log in, do not terminate the instance. You will need to perform the recovery steps below to regain access. If your instance is running Oracle Linux 6, see Recovering SSH Access to an Oracle Linux 6 Instance.

To recover your Oracle Linux 7 instance

  1. Confirm that the instance is running.

  2. Create a serial console connection for the instance and connect to it. See Creating the Instance Console Connection and Connecting to the Serial Console.

  3. Reboot the instance from the Console. See Using the Console.

  4. Once you see the following screen in your SSH client use the up arrow key to get to the top line:

    Screenshot showing serial console window after instance reboot

    The exact version number displayed for your instance may be different than the one shown in the image.

  5. Press e.

  6. Scroll down to the last line, which starts with initrdefi.

  7. Press the left arrow key to get to the end of the long, wrapped line that starts with linuxefi.

  8. Press the space bar then add init=/bin/bash to the end of the line. The entry should look similar to the following image:

    Screenshot showing input for Oracle Linux 7 instance recovery

    If you make a mistake adding init=/bin/bash to the line press the escape character to return to the menu and then start again from step 4.

  9. Press Crtl-x to start the instance.

  10. From the command prompt, run the following commands:

    /usr/sbin/load_policy -i
    /bin/mount -o remount, rw /
    chage --inactive=-1 --mindays=-1 --maxdays=-1 --warndays=-1 --expiredate=-1 --lastday=-1 opc
    /sbin/useradd -D -f -1
    /bin/sed -i.bkp 's/^PASS_MAX_DAYS 90$/PASS_MAX_DAYS 99999/g' /etc/login.defs
    /usr/sbin/reboot -f

After completing these steps, the instance will reboot with SSH access restored.