Hi
I’m planning to have a very secure server. Therefore I’ve chosen Alma Linux.
I’ve installed AlmaLinux 9.3 minimal on a VPS with the settings:
Encrypt (cryptsetup)
Allow root SSH login with password
But I can’t seem to use SSH
ssh root@xxx.xxx.xxx.xxx
The output is
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
With VNC, I can set the LUKS password and log in to root. Even after setting the LUKS password, I can’t use ssh.
What am I doing wrong?
Best/Johan
Hey Johan,
Please verify that PasswordAuthentication is set to yes in /etc/ssh/sshd_config,
If not change it to yes then restart sshd using sudo systemctl restart sshd.
Thanks!
One step closer.
But still denied (and still possible to log in via VNC):
Permission denied, please try again.
Before it was:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
/Johan
Seems to me that the password is wrong, double check the password (you might want to use passwd root to change the password to the known root password.)
No difference.
But it shouldn’t be as I can log in with root in VNC.
Can you ssh with keypair auth?
Does /var/log/secure tell more about the auth error?
Might be SELinux doing, like @jlehtone said check /var/log/auth.log and /var/log/secure for further analysis.
Is the fire wall open for ssh?
Re SELinux: remember that some events are marked DON’T AUDIT and will not show up.
Hi again!
No errors in /var/log/secure
/var/log/auth.log doesn’t exist.
I give up. Thanks for all support!
I’ll install a tested image of Alma Linux 8.9 minimal with SSH, but without cryptsetup. I’ll then partition and add cryptsetup on user data…
IMHO, the “best way” to test is to ask: sshd -T | grep -E "root|password"
because that shows the config that the sshd sees.
Note that the ‘root’ has different rules than regular accounts.
One should not edit the /etc/ssh/sshd_config in EL9. One should add new files to /etc/ssh/sshd_config.d/
The config reads those files first, and sshd uses first occurrence for each option (unless it allows multiple).
That is no error. I don’t recall ever seeing such file in Fedora/CentOS/RHEL/Alma.
Command journalctl has access to “all” logs, and the (legacy) rsyslogd.service writes to some files in /var/log/.
SELinux can prevent sshd process from listening on port, but it has rule to allow listen on the default 22. If it would deny listen, then the connection would not get to “ask pw” stage.
Same with firewall; if incoming traffic is denied by firewall, then the connection would not get to “ask pw” stage.
Another thing that I’ve seen SELinux to block is keypair authentication, because the ~/.ssh/authorized_keys (and its dir) must have strict permissions and correct SELinux type.
The /root is practically always on the / filesystem, while user homes tend to be on separate filesystem (that is mounted to /home). If the / is encrypted, then it has to be opened for the sshd to start and access /root/.ssh/authorized_keys and/or /etc/shadow (now probably via sssd). In other words, if the system runs, then the / is “open”.
For user to authenticate with ~/.ssh/authorized_keys that is within encrypted filesystem that requires password for LUKS first … I have no idea. Anyway, the keypair authentication is strongly recommended for ssh, and in el9 it is the default for ‘root’ – password auth is disabled for root by default.
Problem solved!
I had forgotten to do:
ssh-copy-id -i ~/.ssh/mykey user@host
Now everything works
Thanks for your supportiveness. All of you!
Good, but confusing. You said that you cannot log in with ssh.
Yet, you were able to use ssh-copy-id that works only when you can log in with ssh.
(Unless it was ssh root@host that did fail and ssh otheruser@host that was possible.)
You are right!
I got help from sysadmin to add first key.
Then I tested ssh-copy-id which worked (no surprise).
But there is a bit of a catch 22, when you need an installed key to be able to install a key.
I can’t even paste text in VNC, so that option is not valid.
How am I supposed to log in first time?
You can have session via VNC. While you can’t paste text through the VNC client,
you can download files from network during that session. Naturally, you need an another machine on the net where to download from.
When I install local machine, I prefer to have minimal kickstart file that deploys ssh keys already during install. If that is not possible, then I enable password auth just long enough to get keys in.
The openstack-based cloud service that I have used does deploy ssh-key too – its the (almost) only way to reach those VM’s.
Thank you very much!
Starting to get it now. I now did exactly that. Password til SHH keys added.
Now, I have succeeded with all I wanted.
Best/Johan
P.S.
Tanks for a great community!!!
D.S.