http://bugzilla.suse.com/show_bug.cgi?id=1118114 Alexander Graf changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |guillaume.gardet@arm.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 Arvin Schnell changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://trello.com/c/CRK0z5 | |a0/2715-tw Assignee|yast2-maintainers@suse.de |yast-internal@suse.de -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 Alexander Graf changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tchvatal@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c3 --- Comment #3 from Lukas Ocilka --- That would be a new (but interesting) feature in Linuxrc. We currently have a way to specify ssh_key for root in Installer, but that's quite unrelated as the code in YaST (not Linuxrc) and we require explicit selection of that key. Let's focus on fixing the status quo now, this is SLE 15 SP1 and after feature freeze BTW. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c6 --- Comment #6 from Steffen Winterfeldt --- There is of course https://en.opensuse.org/SDB:Linuxrc#p_sshkey Adding PermitRootLogin to the instsys is easy enough. But copying the root password/key or sshd config from instsys to the target system is a bad idea. Installation and target system are two entirely unrelated things. The admin installing a machine doesn't have to be the one running it. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c8 --- Comment #8 from Alexander Graf --- (In reply to Steffen Winterfeldt from comment #6)

There is of course https://en.opensuse.org/SDB:Linuxrc#p_sshkey

Adding PermitRootLogin to the instsys is easy enough. But copying the root password/key or sshd config from instsys to the target system is a bad idea.

Installation and target system are two entirely unrelated things. The admin installing a machine doesn't have to be the one running it.

Well, in that case all of the command line provided bits are bad :). What I was thinking of is really more a default pass-over. So the ssh key is by default transferred to the target system, but obviously with well visible notification to whoever runs the installation. Think of it in password terms: The password screen would still pop up, but the password fields would already be filled out with the password you set on the command line. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c10 --- Comment #10 from Steffen Winterfeldt --- Correct. This is just the openssh default settings change. Anything else would need some more discussion, I think. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 Malcolm Lewis changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |malcolmlewis@cableone.net -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c14 Alexander Graf changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #14 from Alexander Graf --- Yes, it works for local login. But it won't work for headless systems. Imagine the following: 1) System is headless, ssh access only 2) You install with usessh=1 using ssh from a remote system 3) You skip user creation 4) Installation is successful, reboots into system 5) You log into the system with ssh -> login fails This is a terribly confusing user experience, because customers will have no easy way to recover the system, as they are now locked out of it and maybe don't even know why. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c16 Stefan Schubert changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |agraf@suse.com Flags| |needinfo?(agraf@suse.com) --- Comment #16 from Stefan Schubert --- (In reply to Alexander Graf from comment #14)

Yes, it works for local login. But it won't work for headless systems. Imagine the following:

1) System is headless, ssh access only 2) You install with usessh=1 using ssh from a remote system 3) You skip user creation OK, but how have you managed to skip the root password frame after you have skipped the user creation ? I cannot continue without a given root password. So at least a root login is available after installation. I have tested LEAP15 because Steffen fix is still not available. P.S.: You can also call me if you want. Perhaps I am understanding something wrong :-)

-- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c18 --- Comment #18 from Alexander Graf --- (In reply to Steffen Winterfeldt from comment #15)

...

and maybe don't even know why

Because they didn't create a user? Are there actual complaints from a customer about this? The issue has a slightly artificial touch.

Feel free to consider me a user. I wasted ~1 hour of my life on this. Given who I work for I still stick with SUSE, real customers might just not tell you and walk away. (In reply to Stefan Schubert from comment #16)

(In reply to Alexander Graf from comment #14)

...

Yes, it works for local login. But it won't work for headless systems. Imagine the following:

1) System is headless, ssh access only 2) You install with usessh=1 using ssh from a remote system 3) You skip user creation OK, but how have you managed to skip the root password frame after you have skipped the user creation ? I cannot continue without a given root password. So at least a root login is available after installation. I have tested LEAP15 because Steffen fix is still not available. P.S.: You can also call me if you want. Perhaps I am understanding something wrong :-)

Yes, the root password is set, but you can not log into the system as root regardless, because ssh now refuses to allow password based authentication for root. So if usessh=1 and no user was created, you are 99.9% sure the system will be unusable. What I'm trying to say is that we should be user friendly enough to tell the user about this case before they run into it. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c21 Alexander Graf changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(agraf@suse.com) | --- Comment #21 from Alexander Graf --- I'll leave it to you to figure out whom to blame and how to improve communication between the respective teams, but given that the initial fix for this is trivial, I don't think a bug is the worst things to handle this through at this point. Going forward, I think it is a really good idea to talk to the sshd maintainer and work out an actual plan rather than ad-hoc changes, but at least we have consistent user experience meanwhile. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 Stefan Schubert changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Major |Critical -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c26 --- Comment #26 from Jiri Srain --- Does that mean that if I have a headless system with root as the only user and authenticating via password, plain 'zypper dup' will prevent me from accessing it any more? (my config file, which I cannot remember changing, has this config option commented-out) And actually the same when updating to the first Leap release including this change... -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c27 Vítězslav Čížek changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |CONFIRMED --- Comment #27 from Vítězslav Čížek --- (In reply to Jiri Srain from comment #26)

Does that mean that if I have a headless system with root as the only user and authenticating via password, plain 'zypper dup' will prevent me from accessing it any more?

In the current state, yes.

(my config file, which I cannot remember changing, has this config option commented-out)

The openssh-7.7p1-allow_root_password_login.patch used to change the default in the code without setting it in the configuration file. Well, actually it did set the value of PermitRootLogin to "yes", but kept the option commented out. So after the openssh update, the new default value "prohibit-password" will get used and you'll be locked out.

And actually the same when updating to the first Leap release including this change...

We should at least document this or come up with a way that doesn't risk breaking too many setups. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 http://bugzilla.suse.com/show_bug.cgi?id=1118114#c29 Stefan Schubert changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mstelios@cytech.gr --- Comment #29 from Stefan Schubert --- *** Bug 1121198 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1118114 Vítězslav Čížek changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|vcizek@suse.com |hpj@suse.com -- You are receiving this mail because: You are on the CC list for the bug.