[Bug 1118114] New: Installer disallows root access with usessh=1
http://bugzilla.suse.com/show_bug.cgi?id=1118114 Bug ID: 1118114 Summary: Installer disallows root access with usessh=1 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Installation Assignee: yast2-maintainers@suse.de Reporter: agraf@suse.com QA Contact: jsrain@suse.com CC: afaerber@suse.com, ihno@suse.com, mbrugger@suse.com, snwint@suse.com Found By: --- Blocker: --- Our default installation path for Tumbleweed in the ARM world is to append "usessh=1 sshpassword=xxx network=1" to the installer command line. That way we can install systems easily from remote. With the recent changes in sshd that disallow root by default, we can no longer ssh into the installer system as root. So we can not install. To keep in mind as a follow-up on this; if we did manage to ssh in and install, but did not select a default user to get created (which is my usual installation option, why bother with non-root for starters?), we would get locked out of the real system after installation. So the fix for this IMHO would be to modify sshd_config to allow root access in instsys and then ensure that if this is the mode of operation, that same config propagates into the installed system. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118114
Alexander Graf
http://bugzilla.suse.com/show_bug.cgi?id=1118114
Arvin Schnell
http://bugzilla.suse.com/show_bug.cgi?id=1118114
Arvin Schnell
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c1
--- Comment #1 from Arvin Schnell
http://bugzilla.suse.com/show_bug.cgi?id=1118114
Alexander Graf
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c2
--- Comment #2 from Alexander Graf
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c3
--- Comment #3 from Lukas Ocilka
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c4
--- Comment #4 from Arvin Schnell
I suppose we could also move all logic over to be key based rather than password based. So there the installer would need to learn how to fetch a public ssh key from somewhere and install it (in instsys).
See ssh.key at https://en.opensuse.org/SDB:Linuxrc, the key is just not copied to the installed system. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c6
--- Comment #6 from Steffen Winterfeldt
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c7
--- Comment #7 from Steffen Winterfeldt
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c8
--- Comment #8 from Alexander Graf
There is of course https://en.opensuse.org/SDB:Linuxrc#p_sshkey
Adding PermitRootLogin to the instsys is easy enough. But copying the root password/key or sshd config from instsys to the target system is a bad idea.
Installation and target system are two entirely unrelated things. The admin installing a machine doesn't have to be the one running it.
Well, in that case all of the command line provided bits are bad :). What I was thinking of is really more a default pass-over. So the ssh key is by default transferred to the target system, but obviously with well visible notification to whoever runs the installation. Think of it in password terms: The password screen would still pop up, but the password fields would already be filled out with the password you set on the command line. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c9
--- Comment #9 from Alexander Graf
This only fixes the installer bit, not the fact that we may install a system that you can't log into anymore, right? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c10
--- Comment #10 from Steffen Winterfeldt
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c11
--- Comment #11 from Alexander Graf
http://bugzilla.suse.com/show_bug.cgi?id=1118114
Malcolm Lewis
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c13
Stefan Schubert
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c14
Alexander Graf
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c15
--- Comment #15 from Steffen Winterfeldt
and maybe don't even know why
Because they didn't create a user? Are there actual complaints from a customer about this? The issue has a slightly artificial touch. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c16
Stefan Schubert
Yes, it works for local login. But it won't work for headless systems. Imagine the following:
1) System is headless, ssh access only 2) You install with usessh=1 using ssh from a remote system 3) You skip user creation OK, but how have you managed to skip the root password frame after you have skipped the user creation ? I cannot continue without a given root password. So at least a root login is available after installation. I have tested LEAP15 because Steffen fix is still not available. P.S.: You can also call me if you want. Perhaps I am understanding something wrong :-)
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c17
--- Comment #17 from Steffen Winterfeldt
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c18
--- Comment #18 from Alexander Graf
and maybe don't even know why
Because they didn't create a user? Are there actual complaints from a customer about this? The issue has a slightly artificial touch.
Feel free to consider me a user. I wasted ~1 hour of my life on this. Given who I work for I still stick with SUSE, real customers might just not tell you and walk away. (In reply to Stefan Schubert from comment #16)
(In reply to Alexander Graf from comment #14)
Yes, it works for local login. But it won't work for headless systems. Imagine the following:
1) System is headless, ssh access only 2) You install with usessh=1 using ssh from a remote system 3) You skip user creation OK, but how have you managed to skip the root password frame after you have skipped the user creation ? I cannot continue without a given root password. So at least a root login is available after installation. I have tested LEAP15 because Steffen fix is still not available. P.S.: You can also call me if you want. Perhaps I am understanding something wrong :-)
Yes, the root password is set, but you can not log into the system as root regardless, because ssh now refuses to allow password based authentication for root. So if usessh=1 and no user was created, you are 99.9% sure the system will be unusable. What I'm trying to say is that we should be user friendly enough to tell the user about this case before they run into it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c19
--- Comment #19 from Steffen Winterfeldt
Yes, the root password is set, but you can not log into the system as root regardless, because ssh now refuses to allow password based authentication for > root.
That may well be but this is not an installer issue (per se). If the ssh developers decide to disallow root logins per password then this has some far reaching consequences. This also means the usual yast root user dialog is basically moot and needs to be redesigned to take this into account. This is IMO not a bug in the installer but a feature request and that it ends up here is more or less a sign of not-so-optimal PLANNING. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c21
Alexander Graf
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c22
Steffen Winterfeldt
http://bugzilla.suse.com/show_bug.cgi?id=1118114
Stefan Schubert
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c25
Vítězslav Čížek
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c26
--- Comment #26 from Jiri Srain
http://bugzilla.suse.com/show_bug.cgi?id=1118114
Jiri Srain
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c27
Vítězslav Čížek
Does that mean that if I have a headless system with root as the only user and authenticating via password, plain 'zypper dup' will prevent me from accessing it any more?
In the current state, yes.
(my config file, which I cannot remember changing, has this config option commented-out)
The openssh-7.7p1-allow_root_password_login.patch used to change the default in the code without setting it in the configuration file. Well, actually it did set the value of PermitRootLogin to "yes", but kept the option commented out. So after the openssh update, the new default value "prohibit-password" will get used and you'll be locked out.
And actually the same when updating to the first Leap release including this change...
We should at least document this or come up with a way that doesn't risk breaking too many setups. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c28
--- Comment #28 from Jiri Srain
(In reply to Jiri Srain from comment #26)
And actually the same when updating to the first Leap release including this change...
We should at least document this or come up with a way that doesn't risk breaking too many setups.
I would not be willing to read the users' feedback if we stick only with documentation... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c29
Stefan Schubert
http://bugzilla.suse.com/show_bug.cgi?id=1118114
http://bugzilla.suse.com/show_bug.cgi?id=1118114#c31
--- Comment #31 from Vítězslav Čížek
http://bugzilla.suse.com/show_bug.cgi?id=1118114
Vítězslav Čížek
participants (1)
-
bugzilla_noreply@novell.com