search

rockstor / rockstor-core

Linux/BTRFS based Network Attached Storage(NAS)
http://rockstor.com/docs/contribute_section.html
GNU General Public License v3.0
553 stars 137 forks source link

No default SSH access in Tumbleweed & Leap 15.6 #2767

Open FroggyFlox opened 9 months ago

FroggyFlox commented 9 months ago

Thanks to @RlndVt for initially reporting this issue, with original report below:

I just did a VM install of tumbleweed and I can't connect through SSH.

(...) In that case the 'problem' is a discrepency between PermitRootLogin yes on a Leap install (not a fan long term, but important initially to get the keys transferred,) and PermitRootLogin prohibit-password on Tumbleweed.

Originally posted by @RlndVt in https://github.com/rockstor/rockstor-core/issues/2277#issuecomment-1852836002

Reproducer see https://github.com/rockstor/rockstor-core/issues/2277#issuecomment-1854790287

  1. Install latest Rockstor TW ISO (4.5.8-0)
  2. Distribution update: zypper dup --download-in-advance
  3. Reboot
  4. Go to Rockstor webUI, activate Testing channel, and update to Rockstor 5.0.5-0
  5. Reboot
  6. Try to ssh from client --> refused

/etc/ssh/sshd_config.d/rockstor-sftp.conf is present and includes:

Subsystem    sftp    internal-sftp
AllowUsers root

It seems that AllowUsers root no longer takes precedence on PermitRootLogin yes as was observed in https://github.com/rockstor/rockstor-core/issues/2501/https://github.com/rockstor/rockstor-core/pull/2555. Adding PermitRootLogin yes to /etc/ssh/sshd_config.d/rockstor-sftp.conf and restarting the sshd service restores ssh access for root. Note that as indicated by @RlndVt, the os default in /usr/etc/ssh/sshd_config is now PermitRootLogin prohibit-password. I'm not sure if that changed since https://github.com/rockstor/rockstor-core/pull/2555/https://github.com/rockstor/rockstor-core/issues/2501, though, so this would need to be better identified so that we are sure to properly resolve the issue.

RlndVt commented 9 months ago

Is this now a duplicate of #2765 ?

FroggyFlox commented 9 months ago

No. Please see my comment there (https://github.com/rockstor/rockstor-core/issues/2765#issuecomment-1858537267)... looks like it took me longer to finish writing that one that I thought... sorry for the confusion there.

FroggyFlox commented 9 months ago

Linking to a previous issue by @flukejones reporting the same behavior; interestingly, that was later changed upstream so it seems it has changed again since: #2005.

A PR fixing the current issue should also automatically close #2005.

phillxnet commented 7 months ago

@FroggyFlox Re:

Adding PermitRootLogin yes to /etc/ssh/sshd_config.d/rockstor-sftp.conf and restarting the sshd service restores ssh access for root.

I can confirm that on a freshly built installer (today), profile "Tumbleweed.x86_64", the following equivalent configuration change restores our intended root ssh login behaviour (by password):

echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/PermitRootLogin.conf
systemctl reload sshd

Which is the same additional file found by default in a current Tumbleweed ARM JeOS image as downloaded a few days ago:

https://download.opensuse.org/ports/aarch64/tumbleweed/appliances/openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64.qcow2

phillxnet commented 3 months ago

I've just updated the title on this issue as during pre-release testing of proposed new installers, the 15.6 (RC status upstream still) exhibits the same behaviour. With the same procedure to enable, detailed above, working similarly. I.e. Leap 15.6 similarly requires the explicit PermitRootLogin yes configuration with follow-up sshd reload.