[SOLVED} Root Login via SSH vs Admin login via GUI

  • Hello,


    I'm thoroughly confused....


    I can login via the GUI using the 'admin' handle but not as 'root'.

    I cannot login via SSH as 'root', "permission denied (publickey,,password)"


    The logfile (below) shows that 'root' is not listed in 'AllowUsers'! How can that be?

    I tried to add 'root' as a user (because 'root' is not listed as a user in the GUI) but it returned an unauthorised modification of file xxx, didn't work.


    Questions:

    How can I check and modify/correct 'root' if I have to ('AllowUsers')

    How can I also possibly change the 'root' password (via the GUI as my only option right now) as a precaution against my own mistake of perhaps even not having the correct PW (need to exclude all eventualities, even though I am sure this isn't the fault)?


    Logfile:

    Feb 20 16:54:55 OMV sshd[26442]: User root from 192.168.7.33 not allowed because not listed in AllowUsers

    Feb 20 16:55:01 OMV sshd[26442]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.7.33 user=root

    Feb 20 16:55:03 OMV sshd[26442]: Failed password for invalid user root from 192.168.7.33 port 35056 ssh2

  • This is why admin can't login via ssh and this is by design

    $ getent passwd admin

    admin:x:998:100:openmediavault WebGUI Administrator:/home/admin:/usr/sbin/nologin


    root should not be used to login to the web interface either. It is meant for command line admin purposes.


    I cannot login via SSH as 'root', "permission denied (publickey,,password)"


    The logfile (below) shows that 'root' is not listed in 'AllowUsers'! How can that be?

    Do you have root login disabled in the ssh plugin?


    I tried to add 'root' as a user (because 'root' is not listed as a user in the GUI) but it returned an unauthorised modification of file xxx, didn't work.

    Stop trying to "fix" that. You will probably break something.


    How can I also possibly change the 'root' password (via the GUI as my only option right now) as a precaution against my own mistake of perhaps even not having the correct PW (need to exclude all eventualities, even though I am sure this isn't the fault)?

    Add another user and put them in the ssh and sudo groups. Login via ssh with that user and do: sudo passwd root This still won't allow root to login via ssh if root login via ssh is disabled.

    omv 6.0.35-1 Shaitan | 64 bit | 5.15 proxmox kernel | plugins :: omvextrasorg 6.1.1 | kvm 6.1.22 | mergerfs 6.2 | zfs 6.0.11
    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Hi,


    I've tried the suggested way: Added a user (Temp), added him to groups SSH and SUDO, applied/saved the settings and tried to login via a shell: Not possible.


    There was an error message when saving the settings in the GUI but from what I understand it doesn't seem to be related to this issue (displayed below for reference still) unless the ssl certificate key had to be generated for the new user and this seems to have failed. There was no certificate to add when I created the user.


    The authentication log shows this:

    Feb 27 15:04:04 OMV sshd[18030]: Failed password for invalid user Temp from 192.168.7.33 port 48496 ssh2

    Feb 27 15:04:12 OMV sshd[18030]: Failed password for invalid user Temp from 192.168.7.33 port 48496 ssh2

    Feb 27 15:04:20 OMV sshd[18030]: Failed password for invalid user Temp from 192.168.7.33 port 48496 ssh2

    Feb 27 15:04:20 OMV sshd[18030]: Connection closed by invalid user Temp 192.168.7.33 port 48496 [preauth]


    OMV\ExecException: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; omv-salt deploy run nginx 2>&1' with exit code '1': debian:

    ----------

    ID: prereq_nginx_certificates

    Function: salt.state

    Result: False

    Comment: Run failed on minions: debian

    Started: 15:01:13.985035

    Duration: 2536.612 ms

    Changes:

    debian:

    ----------

    ID: remove_ssl_certificates_crt

    Function: module.run

    Result: True

    Comment: file.find: ['/etc/ssl/certs/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.crt']

    Started: 15:01:14.580269

    Duration: 16.26 ms

    Changes:

    ----------

    file.find:

    - /etc/ssl/certs/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.crt

    ----------

    ID: remove_ssl_certificates_key

    Function: module.run

    Name: file.find

    Result: False

    Comment: No function provided.

    Started: 15:01:14.596825

    Duration: 1.465 ms

    Changes:

    ----------

    ID: create_ssl_e9b35fd3-7a09-4a67-99d6-122417915dd4_crt

    Function: file.managed

    Name: /etc/ssl/certs/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.crt

    Result: True

    Comment: File /etc/ssl/certs/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.crt updated

    Started: 15:01:14.601679

    Duration: 7.857 ms

    Changes:

    ----------

    diff:

    New file

    mode:

    0644

    ----------

    ID: create_ssl_e9b35fd3-7a09-4a67-99d6-122417915dd4_key

    Function: file.managed

    Name: /etc/ssl/private/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.key

    Result: True

    Comment: File /etc/ssl/private/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.key is in the correct state

    Started: 15:01:14.609888

    Duration: 78.126 ms

    Changes:

    ----------

    ID: update_ssl_certificates

    Function: cmd.run

    Name: update-ca-certificates --fresh

    Result: True

    Comment: Command "update-ca-certificates --fresh" run

    Started: 15:01:14.690264

    Duration: 1817.608 ms

    Changes:

    ----------

    pid:

    16363

    retcode:

    0

    stderr:

    stdout:

    Clearing symlinks in /etc/ssl/certs...

    done.

    Updating certificates in /etc/ssl/certs...

    137 added, 0 removed; done.

    Running hooks in /etc/ca-certificates/update.d...

    done.

    ----------

    ID: remove_ssh_certificates

    Function: module.run

    Result: True

    Comment: file.find: []

    Started: 15:01:16.508602

    Duration: 6.224 ms

    Changes:

    ----------

    file.find:

    Summary for debian

    ------------

    Succeeded: 5 (changed=4)

    Failed: 1

    ------------

    Total states run: 6

    Total run time: 1.928 s

    ----------

    ID: configure_nginx_site_webgui

    Function: file.managed

    Name: /etc/nginx/sites-available/openmediavault-webgui

    Result: True

    Comment: File /etc/nginx/sites-available/openmediavault-webgui is in the correct state

    Started: 15:01:16.529194

    Duration: 179.271 ms

    Changes:

    ----------

    ID: configure_nginx_security

    Function: file.managed

    Name: /etc/nginx/openmediavault-webgui.d/security.conf

    Result: True

    Comment: File /etc/nginx/openmediavault-webgui.d/security.conf is in the correct state

    Started: 15:01:16.708980

    Duration: 80.864 ms

    Changes:

    ----------

    ID: execute_nginx_ensite

    Function: cmd.run

    Name: nginx_ensite openmediavault-webgui

    Result: True

    Comment: Command "nginx_ensite openmediavault-webgui" run

    Started: 15:01:16.792590

    Duration: 22.447 ms

    Changes:

    ----------

    pid:

    17775

    retcode:

    0

    stderr:

    stdout:

    Site configuration file 'openmediavault-webgui' is already enabled.

    ----------

    ID: prereq_nginx_service_monit

    Function: salt.state

    Result: True

    Comment: States ran successfully. Updating debian.

    Started: 15:01:16.815696

    Duration: 1696.048 ms

    Changes:

    debian:

    ----------

    ID: configure_monit_collectd_service

    Function: file.managed

    Name: /etc/monit/conf.d/openmediavault-collectd.conf

    Result: True

    Comment: File /etc/monit/conf.d/openmediavault-collectd.conf is in the correct state

    Started: 15:01:17.982943

    Duration: 72.744 ms

    Changes:

    ----------

    ID: configure_monit_filesystem_service

    Function: file.managed

    Name: /etc/monit/conf.d/openmediavault-filesystem.conf

    Result: True

    Comment: File /etc/monit/conf.d/openmediavault-filesystem.conf is in the correct state

    Started: 15:01:18.055962

    Duration: 28.714 ms

    Changes:

    ----------

    ID: configure_monit_nginx_service

    Function: file.managed

    Name: /etc/monit/conf.d/openmediavault-nginx.conf

    Result: True

    Comment: File /etc/monit/conf.d/openmediavault-nginx.conf is in the correct state

    Started: 15:01:18.084994

    Duration: 23.178 ms

    Changes:

    ----------

    ID: configure_monit_omv-engined_service

    Function: file.managed

    Name: /etc/monit/conf.d/openmediavault-engined.conf

    Result: True

    Comment: File /etc/monit/conf.d/openmediavault-engined.conf is in the correct state

    Started: 15:01:18.108490

    Duration: 26.252 ms

    Changes:

    ----------

    ID: configure_monit_php-fpm_service

    Function: file.managed

    Name: /etc/monit/conf.d/openmediavault-phpfpm.conf

    Result: True

    Comment: File /etc/monit/conf.d/openmediavault-phpfpm.conf is in the correct state

    Started: 15:01:18.135126

    Duration: 26.228 ms

    Changes:

    ----------

    ID: remove_monit_proftpd_service

    Function: file.absent

    Name: /etc/monit/conf.d/openmediavault-proftpd.conf

    Result: True

    Comment: File /etc/monit/conf.d/openmediavault-proftpd.conf is not present

    Started: 15:01:18.161782

    Duration: 1.906 ms

    Changes:

    ----------

    ID: configure_monit_rrdcached_service

    Function: file.managed

    Name: /etc/monit/conf.d/openmediavault-rrdcached.conf

    Result: True

    Comment: File /etc/monit/conf.d/openmediavault-rrdcached.conf is in the correct state

    Started: 15:01:18.164048

    Duration: 26.139 ms

    Changes:

    ----------

    ID: configure_monit_system_service

    Function: file.managed

    Name: /etc/monit/conf.d/openmediavault-system.conf

    Result: True

    Comment: File /etc/monit/conf.d/openmediavault-system.conf is in the correct state

    Started: 15:01:18.190571

    Duration: 56.097 ms

    Changes:

    ----------

    ID: configure_default_monit

    Function: file.managed

    Name: /etc/default/monit

    Result: True

    Comment: File /etc/default/monit is in the correct state

    Started: 15:01:18.247057

    Duration: 7.296 ms

    Changes:

    ----------

    ID: configure_monit_monitrc

    Function: file.managed

    Name: /etc/monit/monitrc

    Result: True

    Comment: File /etc/monit/monitrc is in the correct state

    Started: 15:01:18.254732

    Duration: 54.959 ms

    Changes:

    ----------

    ID: test_monit_config

    Function: cmd.run

    Name: monit -t

    Result: True

    Comment: Command "monit -t" run

    Started: 15:01:18.311854

    Duration: 30.222 ms

    Changes:

    ----------

    pid:

    17783

    retcode:

    0

    stderr:

    stdout:

    Control file syntax OK

    ----------

    ID: reload_monit_service

    Function: service.running

    Name: monit

    Result: True

    Comment: The service monit is already running

    Started: 15:01:18.408792

    Duration: 97.904 ms

    Changes:

    Summary for debian

    -------------

    Succeeded: 12 (changed=1)

    Failed: 0

    -------------

    Total states run: 12

    Total run time: 451.639 ms

    ----------

    ID: test_nginx_service_config

    Function: cmd.run

    Name: nginx -t

    Result: True

    Comment: Command "nginx -t" run

    Started: 15:01:18.512358

    Duration: 55.569 ms

    Changes:

    ----------

    pid:

    17792

    retcode:

    0

    stderr:

    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

    nginx: configuration file /etc/nginx/nginx.conf test is successful

    stdout:

    ----------

    ID: restart_nginx_service

    Function: service.running

    Name: nginx

    Result: True

    Comment: The service nginx is already running

    Started: 15:01:18.605429

    Duration: 66.638 ms

    Changes:

    ----------

    ID: monitor_nginx_service

    Function: module.run

    Name: monit.monitor

    Result: False

    Comment: No function provided.

    Started: 15:01:18.675591

    Duration: 1.636 ms

    Changes:

    Summary for debian

    ------------

    Succeeded: 6 (changed=4)

    Failed: 2

    ------------

    Total states run: 8

    Total run time: 4.639 s in /usr/share/php/openmediavault/system/process.inc:182

    Stack trace:

    #0 /usr/share/php/openmediavault/engine/module/serviceabstract.inc(60): OMV\System\Process->execute()

    #1 /usr/share/openmediavault/engined/rpc/config.inc(167): OMV\Engine\Module\ServiceAbstract->deploy()

    #2 [internal function]: Engined\Rpc\Config->applyChanges(Array, Array)

    #3 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)

    #4 /usr/share/php/openmediavault/rpc/serviceabstract.inc(149): OMV\Rpc\ServiceAbstract->callMethod('applyChanges', Array, Array)

    #5 /usr/share/php/openmediavault/rpc/serviceabstract.inc(588): OMV\Rpc\ServiceAbstract->OMV\Rpc\{closure}('/tmp/bgstatustK...', '/tmp/bgoutput9P...')

    #6 /usr/share/php/openmediavault/rpc/serviceabstract.inc(159): OMV\Rpc\ServiceAbstract->execBgProc(Object(Closure))

    #7 /usr/share/openmediavault/engined/rpc/config.inc(189): OMV\Rpc\ServiceAbstract->callMethodBg('applyChanges', Array, Array)

    #8 [internal function]: Engined\Rpc\Config->applyChangesBg(Array, Array)

    #9 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)

    #10 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('applyChangesBg', Array, Array)

    #11 /usr/sbin/omv-engined(537): OMV\Rpc\Rpc::call('Config', 'applyChangesBg', Array, Array, 1)

    #12 {main}

  • Are you sure, you are using the correct password for user Temp?

    The error indicates, you are not.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Well I deleted the user 'Temp' and went in as the usual user that is also 'admin' on the webgui.

    This user can access OMV via the GUI as 'admin' but he cannot access via the teminal/SSH.


    So I checked the following:


    - SSH root login: allowed

    - admin PW: correct as it works. And it has always been the same as ''root'

    - User groups: This one is in groups: users, root, adm, sudo, systemd-network, ssh, openmediavault config, openmediavault admin, openmediavault webgui. These are those I dentifies as potentially relevant amongst others.


    So I'm adding the most recent error log after failed SSH login attempts: "not allowed because not listed in AllowUsers" makes me wonder. But I did check "SSH root login: allowed".


    I have a feeling I may have missed something, but what...?!?


    Apr 5 20:34:22 OMV sshd[21101]: User root from 192.168.7.33 not allowed because not listed in AllowUsers

    Apr 5 20:34:33 OMV sshd[21101]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.7.33 user=root

    Apr 5 20:34:35 OMV sshd[21101]: Failed password for invalid user root from 192.168.7.33 port 49394 ssh2

    Apr 5 20:34:45 OMV sshd[21101]: Connection closed by invalid user root 192.168.7.33 port 49394 [preauth]

  • run ssh -vv root@ip_of_omv from your client.

    and cat /etc/ssh/sshd_config on omv

    The config file should contain this line: AllowGroups root ssh


    to find out more about the users, you can use id <insert_user_name_here> on omv cli

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Hmm...


    The output I received is this:


    From what I read here, the host recognises the client,

    Code
    Host '[192.168.7.33]:112' is known and matches the ECDSA host key.' and 'Found key in /home/OMV/.ssh/known_hosts:3'

    but for some reason it won''t accept the PW. There are a few files missing at the beginning of the debug messages but I don't know if this is relevant.

    I'd love to be able to open a terminal from the GUI when logged-in as 'admin'.

  • The output of the other commands is missing.


    The only thing the log tells us is, the client is acting normally, it has a common encryption method with the host and does know the host (OMV).

    And the clients version of ssh is rather old.

    I wonder how it is trying to look up keys, it tries:

    /home/stephan/.ssh and /home/OMV/.ssh

    Has this one been disguised: GBn@GB1

    Do you have a ~/.ssh/config file on the client?


    Besides this, nothing more to check on the client side. It may be worth checking tail -20 /var/log/auth.log on the server


    I have the feling, you disabled root access to the server.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Oh I didn’t do the output of cat /etc/ssh/sshd_config because I was assuming I was meant to manage to be root first or I wouldn’t have the correct permissions.


    With regards to where it is looking for the key:s:

    This happens when you part copy, part type while on another machine and mix them…

    The machine is /home/OMV/.ssh and GB1@GB1, so should be consistent.


    Will check the cat input later and paste the output straight here. Off to work again first…

  • Hi,


    Below is the output of cat /etc/ssh/sshd_config.

    Root login is allowed and user OMV (together with the previously tested 'example') are permitted.


    So I looked into 'AllowGroups' and checked if user 'OMV' or 'example' is in group 'root'.

    Below is cat /etc/passwd. If I'm correct, user 'OMV' or 'example' should be added to the group 'root'.

    I thought I granted root access to both via the GUI...

    But actually, I'm trying to login as root@... so no need to add any user to the group 'root'.


  • where does line 13 AllowUsers OMV example come from? AllowUsers takes precedent over AllowGroups .

    From the man page:

    Code
    AllowUsers
    	     This keyword can be followed by a list of user name patterns,
    	     separated by spaces.  If specified, login is allowed only for
    	     user names	that match one of the patterns.


    Remove that line, make all users who should log in be in group ssh and that's it.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Log in as a normal user and su root  (if you know the password of root)

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Perfect!!!


    The key to it all was that I could login as root with su root.

    So added user 'root' to AllowUsers plus sudo ssh restart and et voila, I could logon as 'root'.

    I had second thoughts about security then however as I noticed quite a few attempts on /var/log/auth.log that were denied from IPs that I do not recognise (which I once traced back somewhere to the other end of the world).

    So I'm assuming 'root' is a default choice for a brute force attack, although a PW is still in the way.

    Logging in as a user then go root is probably safer after all.


    Thanks for the patience. Loving Linux systems even more now!

  • GBano

    Changed the title of the thread from “Root Login via SSH vs Admin login via GUI” to “[SOLVED} Root Login via SSH vs Admin login via GUI”.
  • If you expose OMV to the public, setupkey based authentication and deniy password login

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Well, well, I know what you say is technically correct and the better way to do it.

    But the issue is that I can memorise a PW but not a key.

    For a key I need to rely on hardware and I fear I can get into trouble if a HW issue locks me out.

    So I could write it down somewhere as an emergency backup but that would again be counter-productive to the idea.


    It's the age-old conflict between practicability and security.


    I'm thinking of starting a new thread on this as I'm curious about some entries in the auth.log file (have I been hacked unsuccessfully?).

  • I mean ssh keys, you do not need a hardware for that, but only a file on the client you are using to access the server.


    google for ssh public key

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Understood but that's still the issue: If I lose the file or have a HDD crash on the client, I have no way to get in via this client.


    I will need to read about options for this case still. Practically such situations usually occur when you don't need it, so the plan B then should be easy.

  • Understood but that's still the issue: If I lose the file or have a HDD crash on the client, I have no way to get in via this client.


    I will need to read about options for this case still. Practically such situations usually occur when you don't need it, so the plan B then should be easy.

    Some people carry around a small USB stick that has needed files and programs on it such as various Linux utility programs, rescue systems, and their ssh private keys.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 6.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

  • I use keepass which includes an ssh agent and a password file shared among multiple devices and a copy of it on a USB stick in a vault

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!