Some security policies prevent root ssh logins

[matusmarhefka]

Some security policies (e.g. DISA STIG) prevent root login via ssh. However, the podman-bootc tool uses root ssh login to access the deployed VM so container images built with such policies are not accessible by the tool (podman-bootc run/podman-bootc ssh doesn't work).

Would it be possible to update podman-bootc to login as non-root wheel user who can run sudo without a password? If not, what other options do we have?

[matusmarhefka]

Another option is to update podman-bootc to allow ssh root logins, similarly as it injects ssh key for root it would check that ssh configuration (/etc/ssh/sshd_config.d/* and /etc/ssh/sshd_config) doesn't contain PermitRootLogin no and it would then set PermitRootLogin yes in /etc/ssh/sshd_config.

[germag]

Currently, both run and ssh commands supports the --user <user> option to specify an alternative user.

If --user <user> is not enough, we can work on an alternative, I'm not so sure about silently changing the configuration maybe adding a new option like --enable-root

[matusmarhefka]

@germag Thanks, I've tried using the --user option and it doesn't work with the latest quay.io/centos-bootc/centos-bootc:stream9 base image:

podman-bootc run --user admin quay.io/centos-bootc/centos-bootc:stream9
...
Error: WaitSshReady: SSH did not become ready in 1m0s seconds

I am on Fedora 40 with the latest podman-bootc from the gmaglione/podman-bootc copr repository:

$ rpm -q podman-bootc 
podman-bootc-v0.1.1~98~g7e608fa-1.20240715123201179838.main.98.7e608fa.fc40.x86_64

[germag]

Ok, let me check that