SSH authenticated you, but the server could not start your login shell. It usually means the user's shell is missing or invalid, the home directory or shell binary has bad permissions, the disk is full or read-only, or a security/PAM policy blocked the session.
The message 'shell request failed on channel 0' is a server-side error. Authentication and channel setup succeeded, but when sshd tried to exec the user's login shell on channel 0 (the session channel), that exec failed. The client therefore reports the shell request as failed and the connection closes. Because the failure happens at shell-exec time, the problem is almost always about the shell itself or the environment it needs: the shell program named in the user's passwd entry must exist and be executable, the home directory must exist with sane ownership/permissions, the filesystem must be writable and have free space, and any PAM, SELinux/AppArmor, or profile scripts that run at login must succeed. On Windows OpenSSH the equivalent is a missing or wrong DefaultShell registry value. This is not caused by SysV semaphore exhaustion or a fixed pseudo-terminal limit. Starting a login shell does not consume SysV IPC semaphores, and modern Linux uses Unix98 devpts where the PTY ceiling (kernel.pty.max) defaults to several thousand, so those are not the cause here.
Run a non-interactive command. If that works but an interactive login does not, the problem is the login-shell startup, not SSH connectivity or auth.
# Non-interactive: bypasses the login shell startup path
ssh user@hostname echo ok
# Interactive: this is what fails with "shell request failed on channel 0"
ssh user@hostnameIf echo ok prints ok but the plain login closes immediately, focus the rest of your troubleshooting on the user's shell and its startup environment on the server.
Most cases are a bad shell entry. Check what shell the account is configured to use and confirm the binary is present and runnable.
# What shell is assigned to the user?
getent passwd "$USER"
# e.g. user:x:1000:1000::/home/user:/bin/bash <- last field is the shell
# Does the shell binary exist and is it executable?
ls -l /bin/bash
file /bin/bash
# Is it a valid login shell?
cat /etc/shellsIf the shell is missing, set to /usr/sbin/nologin / /bin/false, or not in /etc/shells, repair it (run as root or with sudo on the server):
sudo usermod -s /bin/bash username
# Add the shell to /etc/shells if it is missing
grep -qxF /bin/bash /etc/shells || echo /bin/bash | sudo tee -a /etc/shellsThe shell needs a valid home directory it can read and write. Wrong ownership or a missing home directory will break the login shell.
# Confirm the home directory exists and is owned by the user
getent passwd "$USER" | cut -d: -f6 # shows the home path
ls -ld /home/username
# It should be owned by the user and not world-writable, e.g.:
# drwxr-xr-x 5 username username ... /home/usernameFix ownership/permissions if needed (run on the server as root):
sudo chown -R username:username /home/username
sudo chmod 755 /home/username
# If the home directory is missing, create and populate it:
sudo mkhomedir_helper username # Debian/Ubuntu (pam_mkhomedir)If the disk is full or the filesystem is mounted read-only, the shell cannot create the temp/startup files it needs and the session fails.
# Look for any filesystem at or near 100% (especially / and /home)
df -h
# Is the root filesystem read-only? "ro" instead of "rw" indicates a problem.
mount | grep ' / '
# Check /home too if it is a separate mount
mount | grep ' /home 'If root is read-only, it was usually remounted that way after a filesystem error. Inspect dmesg for I/O or fsck errors, then remount read-write once the cause is understood:
sudo dmesg | tail -30
sudo mount -o remount,rw /If the disk is full, free space (clear logs, old packages, large temp files) and retry the login.
sshd debug logging pinpoints where the session dies. On the server, raise the log level and watch the log while you reconnect from the client.
# In /etc/ssh/sshd_config, set:
# LogLevel DEBUG3
sudo sshd -t # validate config first
sudo systemctl restart sshd # or: sudo systemctl restart ssh
# Watch the auth log (Debian/Ubuntu) ...
sudo tail -f /var/log/auth.log
# ... or via journald (RHEL/Fedora/systemd):
sudo journalctl -u sshd -f # use ssh.service on Debian/UbuntuReconnect from another terminal and look for the exec failure. Lines mentioning the shell path, exec, No such file or directory, Permission denied, or a PAM module error tell you the real cause.
When finished, set LogLevel back to INFO or VERBOSE and restart sshd.
A failing PAM module or a broken global/user startup script can abort the session right as the shell starts.
# Look for PAM failures in the auth log / journal around your login time
sudo grep -i pam /var/log/auth.log | tail -20
sudo journalctl -u sshd --since '5 min ago'Temporarily test with the startup scripts out of the way to isolate the culprit (rename, do not delete):
# As the affected user (or root acting on their behalf), back up shell rc files
mv ~/.bashrc ~/.bashrc.bak 2>/dev/null
mv ~/.profile ~/.profile.bak 2>/dev/nullIf login then succeeds, the problem is in those files (or a system-wide /etc/profile, /etc/bashrc, or /etc/profile.d/* script). Restore the backups and fix the offending line. A common offender is a startup script that calls exit or runs a command that fails under a non-tty login.
On RHEL/Fedora (SELinux) or Ubuntu (AppArmor) a denial can block the shell or its home-directory access.
# SELinux: check current mode and search for denials tied to ssh/login
getenforce
sudo ausearch -m avc -ts recent | grep -Ei 'ssh|shell|home'
# AppArmor: list active profiles and check the system log for DENIED lines
sudo aa-status
sudo journalctl -k | grep -i apparmor | tail -20If you suspect SELinux, you can confirm by switching it to permissive temporarily as a diagnostic only:
sudo setenforce 0 # TEMPORARY diagnostic — does not survive reboot
# test the login, then immediately revert:
sudo setenforce 1Do not leave enforcement disabled. If permissive mode fixes it, the correct fix is to relabel files (restorecon -Rv /home/username) or add the proper policy, then re-enable enforcing.
If the shell binary depends on a missing or unreadable library, exec fails and the session dies. Verify the shell actually runs and its libraries are present.
# Resolve the user's configured shell and try running it
SHELL_BIN=$(getent passwd "$USER" | cut -d: -f7)
echo "$SHELL_BIN"
sudo -u username "$SHELL_BIN" -c 'echo shell-ok'
# Check for missing shared libraries ("not found" lines indicate the problem)
ldd "$SHELL_BIN"If ldd reports a library as not found, reinstall the shell package or the package that provides the missing library, then retry the login.
On Windows OpenSSH servers, a missing or wrong DefaultShell value in the registry produces this error. Check and set it to an existing shell path (run PowerShell as Administrator on the server).
# Inspect the current value (may not exist)
Get-ItemProperty -Path 'HKLM:\SOFTWARE\OpenSSH' -Name DefaultShell -ErrorAction SilentlyContinue
# Set PowerShell as the default shell (verify the path exists first)
New-ItemProperty -Path 'HKLM:\SOFTWARE\OpenSSH' -Name DefaultShell `
-Value 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' `
-PropertyType String -Force
# Or use cmd.exe instead:
# -Value 'C:\Windows\System32\cmd.exe'
Restart-Service sshdEnsure the path you set actually exists on that machine, then test a login from another host.
On cloud instances (AWS EC2, Azure, GCP), this error after a previously working login often means the root volume filled up or the filesystem was remounted read-only following an I/O error — check df -h, mount | grep ' / ', and dmesg. When a session is created by pam_mkhomedir or an automounted/NFS home, login can fail if the home cannot be created or the NFS mount is stale; verify the mount and ownership of the home directory.
For SELinux specifically, the right fix is almost never to disable enforcement permanently. Relabel the user's home and shell with restorecon -Rv /home/username and inspect ausearch -m avc -ts recent; if a legitimate access is being denied, generate a targeted policy with audit2allow rather than running permissive.
For Ansible/Terraform, do not paper over the problem by disabling the PTY — the underlying server-side shell failure will still affect real interactive use. Fix the shell/home/permission issue on the host so both automation and humans can log in.
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation
How to fix "sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation" in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
No more authentication methods to try.
How to fix "No more authentication methods to try." in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH