Keep getting locked out of microOS after combustion script install

sunoc · June 17, 2025, 1:13pm

Hi,

I’ve been using Tumbleweed, Aeon and microOS for a while, but it’s my first time posting here!

Here is my problem: I’m currently trying to use a combustion script in order to install MicroOS on my Raspberry Pi to make some tests with K3S, but after trying many different settings, I keep being unable to log in with SSH using a authorized key.

What I want:

Fixed IP
A user with no password sudo rights
Setting a hostname and timezone
Deps for Ansible
Base K3S installation
MicroOS “default” nopassword behavior for SSH, no login for root, only SSH key for the created user.

Note that my RPi is headless, and I have no access to a monitor or a serial cable atm, so I have to run the combustion script, wait to be able to ping the device (this works), then try to reach it with SSH. It makes the testing slow and the cause of the error unclear…

Here is my latest version of my combustion script, where the ssh keeps asking me for a password, even though none exist:

#!/bin/bash
# combustion: network

## _________________________ EDIT VARIABLES ________________________________
INSTALL_K3S_EXEC='server --cluster-init --write-kubeconfig-mode=644'
NODE_IP='192.168.1.5'
NODE_HOSTNAME="master"
USER='sunoc'
SSH_USER_PUBLIC_KEY='ssh-ed25519 AAAAC3NzaXXXXXXXXXXXXXXXXXXSkp Aeon X230'
TZ='Asia/Tokyo'

## ___________________________ STATIC IP ___________________________________
umask 077 # Required for NM config
mkdir -p /etc/NetworkManager/system-connections/
cat <<- EOF >/etc/NetworkManager/system-connections/static.nmconnection
[connection]
id=static
type=ethernet
autoconnect=true

[ipv4]
method=manual
dns=192.168.1.1
address1=$NODE_IP/24,192.168.1.1
EOF

## ___________________________ SET USER ___________________________________
## Mount /var and /home so user can be created smoothly
mount /var
mount /home

## Make user
useradd -m $USER -s /bin/bash -g users

## Add user to sudoers
echo $USER "ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/adminusers

## Create ssh folder and populate authorized_keys for remote sshd
mkdir -pm700 /home/$USER/.ssh
chown $USER:users -R /home/$USER/.ssh
echo $SSH_USER_PUBLIC_KEY > /home/$USER/.ssh/authorized_keys

## Disable IPv6
cp 90-disableipv6.conf /etc/sysctl.d/

## ___________________________ ANSIBLE ___________________________________
## Python is needed for Ansible, independant of Python subversions
zypper --non-interactive install python3 python3-pip python3-requests \
       nfs-client

## ___________________________ K3S ___________________________________
## Disable swap memory
swapoff -a
sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

## Other generally useful packages for k3s as well
zypper --non-interactive install patterns-microos-cockpit \
       cockpit bash-completion helm

## Install k3s using the script
curl -L --output k3s_installer.sh https://get.k3s.io && install -m755 k3s_installer.sh /usr/bin/
## Create a systemd unit that installs k3s if not installed yet
cat <<- EOF >/etc/systemd/system/install-rancher-k3s.service
[Unit]
Description=Run K3s installer
Wants=network-online.target
After=network.target network-online.target
ConditionPathExists=/usr/bin/k3s_installer.sh
ConditionPathExists=!/usr/local/bin/k3s
[Service]
Type=forking
TimeoutStartSec=120
Environment="INSTALL_K3S_EXEC=$INSTALL_K3S_EXEC"
ExecStart=/usr/bin/k3s_installer.sh
RemainAfterExit=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF

## ___________________________ SERVICES ___________________________________
## Enable services
systemctl enable cockpit.socket
systemctl enable sshd.service
systemctl enable install-rancher-k3s.service

## ___________________________ FINISHING ___________________________________
## Set timezone
systemd-firstboot --force --timezone=$TZ

## Set hostname
echo $NODE_HOSTNAME > /etc/hostname

## Reboot after setup
cp firstbootreboot.service /etc/systemd/system/
systemctl enable firstbootreboot.service

## Clear up mounts
umount /var
umount /home

echo "Configured with Combustion" > /etc/issue.d/combustion

Here are some things I tried so far:

Putting the SSH key in a separated file.
Adding a separated sshd_config file.
Not using a variable for username.

None of this helped. A new sshd_config file changed the behavior, where I would no be prompted to enter a psw, but the authorized key still doesn’t work.

Finally, when I look into the /etc/issue.d/combustion file on the SD card after the install, the “Configured with Combustion” string is present, so I’m guessing that the script is successfully executed to it’s end.

Any idea what else could be wrong?

Thank you very much in advance for the held!

malcolmlewis · June 17, 2025, 1:39pm

@sunoc Hi and welcome to the Forum
I install the ssh key from a file…

Some snippets;

#!/bin/bash

# combustion: network
exec > >(exec tee -a /dev/tty0) 2>&1

INSTALL_STATIC=1

##
## Use `openssl -6 password` to create the encrypted password for root and user.
##
ROOT_USER_PASSWORD='....'
SSH_ROOT_PUBLIC_KEY=system/ssh_key.pub
USER_NAME='username'
USER_PASSWORD='....'
SSH_USER_PUBLIC_KEY=system/ssh_key.pub
##

##
echo "Setting Local Timezone..."
rm /etc/localtime
ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
echo "Setting Hostname..."
echo $NODE_HOSTNAME > /etc/hostname

##
if [ $INSTALL_STATIC == 1 ]; then
   install -m 0600 $NODE_HOSTNAME/static-ip.nmconnection /etc/NetworkManager/system-connections/$NODE_HOSTNAME-ip.nmconnection
fi

## Set root password
echo root:$ROOT_USER_PASSWORD | chpasswd -e
## Add ssh public key as authorized key for the root user
install -d -m 0700  /root/.ssh/
cat $SSH_ROOT_PUBLIC_KEY >> /root/.ssh/authorized_keys
##

## User based configuration

## Need to mount for adding user
mount /var
mount /home

## Add user and ssh public key as authorized key
echo "Adding user $USER_NAME..."
useradd -m $USER_NAME

echo $USER_NAME:$USER_PASSWORD | chpasswd -e

install -d -m 0700 /home/$USER_NAME/.ssh

cat $SSH_USER_PUBLIC_KEY >> /home/$USER_NAME/.ssh/authorized_keys

I use a seed-token for k3s installs I manually create with tr -dc A-Za-z0-9 </dev/urandom | head -c 64 > $(pwd)/seed-token and that lives in /etc/rancher/k3s/

Likewise I use the following for k3s;

curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION={v1.25.9+k3s1} INSTALL_K3S_EXEC="server --cluster-init \
--node-ip xxx.xxx.xxx.xxx. --node-external-ip xxx.xxx.xxx.xxx" \
K3S_TOKEN_FILE=/etc/rancher/k3s/seed-token \
K3S_NODE_NAME="nodename" sh -s -

You should not need to create a service file, above does it all.

arvidjaar · June 17, 2025, 2:36pm

Does setting authorized_keys mode to 0700 help?

sunoc · June 17, 2025, 3:05pm

Thank you for the quick replies, I was able to fix my main issue with your advises!

Making a test with the configuration with a password for the user, I was able to log with it and figured the issue was the right for the .ssh dir.

Now, this setup seems to work for me to use the SSH key, ensuring the user has read access to the authorized_keys file:

## Make user and ssh dir
useradd -m $USER_NAME
install -d -m 0700 /home/$USER_NAME/.ssh
echo $SSH_USER_PUBLIC_KEY >> /home/$USER_NAME/.ssh/authorized_keys
chown $USER_NAME:$USER_NAME -R /home/$USER_NAME/.ssh

Thanks again!

system · June 24, 2025, 3:05pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.