I installed MicroOS using the openSUSE-MicroOS-DVD-aarch64-Snapshot20230802-Media.iso image, and created a file at /etc/ssh/sshd_config.d/permit_root_login.conf with the following content:
PermitRootLogin yes
This works as expected, and I can login as root over SSH using a password. If I then do a transactional-update dup, I see the following product upgrade:
The following product is going to be upgraded:
openSUSE MicroOS
20230802-0 -> 20231017-0
After a reboot, I find that I can no longer login as root over SSH using a password. Does anyone know what has changed in MicroOS that is causing this to no longer work?
I’ve added that and restarted sshd, but am still seeing that authentication fails, so I’m a bit lost as to what’s going wrong…
I only temporarily enable root login over SSH using a password as part of provisioning to allow Ansible to go in, create users, configure sudo, and then re-lock down SSH to disallow root login and password login. So that works for now, but it seems that when I start deploying machines with a newer MicroOS snapshot, that’s not going to work anymore.
@Jammy Consider using ignition or combustion with ansible to provision? You can add users at this point etc. I use SelfInstall and Vagrant with combustion here, not had an issue like that, but I also use ssh keys.
If you add some debug (-vv) to your ssh command, what does it indicate?
I’ll have a look into using ignition or combustion, thanks for the pointer!
I don’t see anything particularly useful in the verbose output, looks like it tries a few times with keyboard-interactive, and again a few times with password, but ultimately all fail:
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
(root@192.168.92.152) Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
(root@192.168.92.152) Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
(root@192.168.92.152) Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
root@192.168.92.152's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
root@192.168.92.152's password:
debug2: we sent a password packet, wait for reply
Received disconnect from 192.168.92.152 port 22:2: Too many authentication failures
Disconnected from 192.168.92.152 port 22
Journalctl shows the following:
error: PAM: Authentication failure for root from 192.168.92.1
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.92.1 user=root
Failed password for root from 192.168.92.1 port 57776 ssh2
