Many sysadmins have faced this panic moment - you're configuring SSH on a remote Debian server and accidentally modify /etc/ssh/ssh_config instead of /etc/ssh/sshd_config. The key difference:
# Client configuration (what NOT to edit for server settings)
/etc/ssh/ssh_config
# Server configuration (where PermitRootLogin belongs)
/etc/ssh/sshd_config
When you attempt SSH login after this mistake, you'll see:
/etc/ssh/ssh_config: line 55: Bad configuration option: permitrootlogin
/etc/ssh/ssh_config: terminating, 1 bad configuration options
This occurs because PermitRootLogin is a server-side directive that's invalid in the client configuration file.
Option 1: Using Existing Web Console Access
Most cloud providers offer emergency console access:
# For AWS EC2:
1. Navigate to EC2 > Instances
2. Select instance > Actions > Instance Settings > Get System Log
3. Use the web-based console to fix the file
# For Google Cloud:
1. Go to Compute Engine > VM instances
2. Click "Serial port" button (1-4)
3. Authenticate and edit the file
Option 2: Temporary Web Shell Workaround
If you have web services running, create a temporary PHP fixer:
<?php
// emergency-ssh-fix.php
file_put_contents('/etc/ssh/ssh_config',
str_replace('PermitRootLogin', '#PermitRootLogin',
file_get_contents('/etc/ssh/ssh_config')));
echo "SSH config cleaned";
?>
Upload via FTP/SFTP (if available), then access via browser to trigger the fix.
Option 3: Alternative Protocol Access
Check if these services are running:
# Telnet (if enabled)
telnet server_ip 22
# Web-based management
https://server_ip:10000 (Webmin)
https://server_ip:8006 (Proxmox)
Always follow these best practices:
# 1. Make backups before editing
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# 2. Use configuration check before restarting
sshd -t
# 3. Keep a rescue session open
screen -S ssh-rescue
Create a pre-commit hook for SSH config changes:
#!/bin/bash
# .git/hooks/pre-commit
if grep -q "PermitRootLogin" ssh_config; then
echo "ERROR: Server directive in client config!"
exit 1
fi
We've all been there - editing the wrong config file in a hurry. When you modified /etc/ssh/ssh_config instead of /etc/ssh/sshd_config on your Debian server, you introduced invalid directives that prevent SSH access. The error specifically complains about:
/etc/ssh/ssh_config: line 55: Bad configuration option: permitrootlogin
/etc/ssh/ssh_config: terminating, 1 bad configuration options
PermitRootLogin is a server-side configuration option that only belongs in sshd_config. The client configuration file (ssh_config) has completely different options and syntax. When SSH client encounters unknown directives during connection initiation, it fails immediately.
Method 1: Using SCP with Alternative Credentials
If you have another user with sudo privileges:
scp /path/to/correct/ssh_config backupuser@yourserver:/tmp/
ssh backupuser@yourserver
sudo mv /tmp/ssh_config /etc/ssh/
sudo chown root:root /etc/ssh/ssh_config
sudo chmod 644 /etc/ssh/ssh_config
Method 2: Cloud Provider Console Access
For AWS EC2, GCP, or Azure instances:
- Use the cloud provider's web console to access serial console
- Mount the root filesystem in recovery mode
- Edit the file directly:
sudo nano /etc/ssh/ssh_config
# Remove any server-side options like PermitRootLogin
Method 3: Temporary Web-Based Solution
If the server has web access, you can create a temporary PHP script (remove immediately after use):
<?php
file_put_contents('/etc/ssh/ssh_config',
'# Default SSH Client Configuration
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
');
?>
Always verify which config file you're editing:
# For client configurations
sudo nano /etc/ssh/ssh_config
# For server configurations
sudo nano /etc/ssh/sshd_config
Consider using configuration management tools like Ansible to prevent manual errors:
- name: Ensure correct SSH client config
ansible.builtin.copy:
src: files/ssh_config
dest: /etc/ssh/ssh_config
owner: root
group: root
mode: '0644'