SSH locked out (root and standard user)

    • OMV 1.0
    • SSH locked out (root and standard user)

      ?( Hello folks,

      I was happily using my OMV 1.19 when all of a sudden the SSH Root Access (protected by google multi factor auth) stopped working.
      It does not recognize the password anymore and it does not ask for the Google Authentication Code,

      I can logon on the WEBUI, but that is it.

      If I could edit the SSD_CONFIG file, I'd try to remove the "Use PAM" option, it helped me fix problems with the other NAS I have.

      I tried the procedure to create a public key, but I get the error <<permission denied public key>>

      I realy need to get SSH ROOT back up, what can I troubleshoot?

      Source Code

      1. ​Protocol 2
      2. HostKey /etc/ssh/ssh_host_rsa_key
      3. HostKey /etc/ssh/ssh_host_dsa_key
      4. UsePrivilegeSeparation yes
      5. KeyRegenerationInterval 3600
      6. ServerKeyBits 768
      7. SyslogFacility AUTH
      8. LogLevel INFO
      9. LoginGraceTime 120
      10. StrictModes yes
      11. RSAAuthentication yes
      12. PubkeyAuthentication yes
      13. IgnoreRhosts yes
      14. RhostsRSAAuthentication no
      15. HostbasedAuthentication no
      16. PermitEmptyPasswords no
      17. ChallengeResponseAuthentication no
      18. X11Forwarding yes
      19. X11DisplayOffset 10
      20. PrintMotd no
      21. PrintLastLog yes
      22. TCPKeepAlive yes
      23. AcceptEnv LANG LC_*
      24. Subsystem sftp /usr/lib/openssh/sftp-server
      25. UsePAM yes
      26. AllowGroups root ssh
      27. AddressFamily any
      28. Port 22
      29. PermitRootLogin yes
      30. AllowTcpForwarding no
      31. Compression yes
      32. PasswordAuthentication yes
      33. AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /var/lib/openmediavault/ssh/authorized_keys/%u
      34. PubkeyAuthentication yes
      Display All

      The post was edited 1 time, last by theluke79 ().

    • How did you configure the authenticator in the first place?
      Don't tell you just manually edited the file at /etc/ssh/sshd_config?

      If you don't have extra options and you have not set up environmental variables then make a change in the webui for ssh. That should default it.
      If you modified the pam module then i guess is more trouble.

      Try and create a sshd alternate config file in a samba share for example without the pam yes, the use the cron task to run a tmp side sshd server.

      /usr/sbin/sshd -p 2222 -f /media/<uuid>/share/sshd_config

      That should give you access at port 2222
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Thanks a mil for helping!

      I followed this guide to install the dual factor authentication (it has been working for 2 years now)
      howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ therefore, YES, I did edit manually the

      sudo nano /etc/pam.d/sshd
      and sshd_config

      As per the instructions.

      I have created the second alternative SSHD conf file an configured CRON,
      It has fixed the problem!


      Thank you
    • theluke79 wrote:

      YES, I did edit manually the

      sudo nano /etc/pam.d/sshd
      and sshd_config


      For the pam module do a backup for obvious reasons, for the sshd_config you cannot edit the file, omv will rewrite as soon as you do a change in the ssh section or users section, and you will get lock out as it happened now, this has being discussed in numerous occasions, OMV takes full control of the services it uses.
      Use environmental variables to change the default directives present. This has been discussed in se

      wiki.openmediavault.org/index.…Environment_Variables/all
      wiki.openmediavault.org/index.…tle=Environment_Variables

      You need to restart engined after a var has being added. And remake the service configuration and restart the service
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server