[SOLVED} Root Login via SSH vs Admin login via GUI

Hello,

I'm thoroughly confused....

I can login via the GUI using the 'admin' handle but not as 'root'.

I cannot login via SSH as 'root', "permission denied (publickey,,password)"

The logfile (below) shows that 'root' is not listed in 'AllowUsers'! How can that be?

I tried to add 'root' as a user (because 'root' is not listed as a user in the GUI) but it returned an unauthorised modification of file xxx, didn't work.

Questions:

How can I check and modify/correct 'root' if I have to ('AllowUsers')

How can I also possibly change the 'root' password (via the GUI as my only option right now) as a precaution against my own mistake of perhaps even not having the correct PW (need to exclude all eventualities, even though I am sure this isn't the fault)?

Logfile:

Feb 20 16:54:55 OMV sshd[26442]: User root from 192.168.7.33 not allowed because not listed in AllowUsers

Feb 20 16:55:01 OMV sshd[26442]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.7.33 user=root

Feb 20 16:55:03 OMV sshd[26442]: Failed password for invalid user root from 192.168.7.33 port 35056 ssh2

Hi,

I've tried the suggested way: Added a user (Temp), added him to groups SSH and SUDO, applied/saved the settings and tried to login via a shell: Not possible.

There was an error message when saving the settings in the GUI but from what I understand it doesn't seem to be related to this issue (displayed below for reference still) unless the ssl certificate key had to be generated for the new user and this seems to have failed. There was no certificate to add when I created the user.

The authentication log shows this:

Feb 27 15:04:04 OMV sshd[18030]: Failed password for invalid user Temp from 192.168.7.33 port 48496 ssh2

Feb 27 15:04:12 OMV sshd[18030]: Failed password for invalid user Temp from 192.168.7.33 port 48496 ssh2

Feb 27 15:04:20 OMV sshd[18030]: Failed password for invalid user Temp from 192.168.7.33 port 48496 ssh2

Feb 27 15:04:20 OMV sshd[18030]: Connection closed by invalid user Temp 192.168.7.33 port 48496 [preauth]

OMV\ExecException: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; omv-salt deploy run nginx 2>&1' with exit code '1': debian:

----------

ID: prereq_nginx_certificates

Function: salt.state

Result: False

Comment: Run failed on minions: debian

Started: 15:01:13.985035

Duration: 2536.612 ms

Changes:

debian:

----------

ID: remove_ssl_certificates_crt

Function: module.run

Result: True

Comment: file.find: ['/etc/ssl/certs/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.crt']

Started: 15:01:14.580269

Duration: 16.26 ms

Changes:

----------

file.find:

- /etc/ssl/certs/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.crt

----------

ID: remove_ssl_certificates_key

Function: module.run

Name: file.find

Result: False

Comment: No function provided.

Started: 15:01:14.596825

Duration: 1.465 ms

Changes:

----------

ID: create_ssl_e9b35fd3-7a09-4a67-99d6-122417915dd4_crt

Function: file.managed

Name: /etc/ssl/certs/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.crt

Result: True

Comment: File /etc/ssl/certs/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.crt updated

Started: 15:01:14.601679

Duration: 7.857 ms

Changes:

----------

diff:

New file

mode:

0644

----------

ID: create_ssl_e9b35fd3-7a09-4a67-99d6-122417915dd4_key

Function: file.managed

Name: /etc/ssl/private/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.key

Result: True

Comment: File /etc/ssl/private/openmediavault-e9b35fd3-7a09-4a67-99d6-122417915dd4.key is in the correct state

Started: 15:01:14.609888

Duration: 78.126 ms

Changes:

----------

ID: update_ssl_certificates

Function: cmd.run

Name: update-ca-certificates --fresh

Result: True

Comment: Command "update-ca-certificates --fresh" run

Started: 15:01:14.690264

Duration: 1817.608 ms

Changes:

----------

pid:

16363

retcode:

0

stderr:

stdout:

Clearing symlinks in /etc/ssl/certs...

done.

Updating certificates in /etc/ssl/certs...

137 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d...

done.

----------

ID: remove_ssh_certificates

Function: module.run

Result: True

Comment: file.find: []

Started: 15:01:16.508602

Duration: 6.224 ms

Changes:

----------

file.find:

Summary for debian

------------

Succeeded: 5 (changed=4)

Failed: 1

------------

Total states run: 6

Total run time: 1.928 s

----------

ID: configure_nginx_site_webgui

Function: file.managed

Name: /etc/nginx/sites-available/openmediavault-webgui

Result: True

Comment: File /etc/nginx/sites-available/openmediavault-webgui is in the correct state

Started: 15:01:16.529194

Duration: 179.271 ms

Changes:

----------

ID: configure_nginx_security

Function: file.managed

Name: /etc/nginx/openmediavault-webgui.d/security.conf

Result: True

Comment: File /etc/nginx/openmediavault-webgui.d/security.conf is in the correct state

Started: 15:01:16.708980

Duration: 80.864 ms

Changes:

----------

ID: execute_nginx_ensite

Function: cmd.run

Name: nginx_ensite openmediavault-webgui

Result: True

Comment: Command "nginx_ensite openmediavault-webgui" run

Started: 15:01:16.792590

Duration: 22.447 ms

Changes:

----------

pid:

17775

retcode:

0

stderr:

stdout:

Site configuration file 'openmediavault-webgui' is already enabled.

----------

ID: prereq_nginx_service_monit

Function: salt.state

Result: True

Comment: States ran successfully. Updating debian.

Started: 15:01:16.815696

Duration: 1696.048 ms

Changes:

debian:

----------

ID: configure_monit_collectd_service

Function: file.managed

Name: /etc/monit/conf.d/openmediavault-collectd.conf

Result: True

Comment: File /etc/monit/conf.d/openmediavault-collectd.conf is in the correct state

Started: 15:01:17.982943

Duration: 72.744 ms

Changes:

----------

ID: configure_monit_filesystem_service

Function: file.managed

Name: /etc/monit/conf.d/openmediavault-filesystem.conf

Result: True

Comment: File /etc/monit/conf.d/openmediavault-filesystem.conf is in the correct state

Started: 15:01:18.055962

Duration: 28.714 ms

Changes:

----------

ID: configure_monit_nginx_service

Function: file.managed

Name: /etc/monit/conf.d/openmediavault-nginx.conf

Result: True

Comment: File /etc/monit/conf.d/openmediavault-nginx.conf is in the correct state

Started: 15:01:18.084994

Duration: 23.178 ms

Changes:

----------

ID: configure_monit_omv-engined_service

Function: file.managed

Name: /etc/monit/conf.d/openmediavault-engined.conf

Result: True

Comment: File /etc/monit/conf.d/openmediavault-engined.conf is in the correct state

Started: 15:01:18.108490

Duration: 26.252 ms

Changes:

----------

ID: configure_monit_php-fpm_service

Function: file.managed

Name: /etc/monit/conf.d/openmediavault-phpfpm.conf

Result: True

Comment: File /etc/monit/conf.d/openmediavault-phpfpm.conf is in the correct state

Started: 15:01:18.135126

Duration: 26.228 ms

Changes:

----------

ID: remove_monit_proftpd_service

Function: file.absent

Name: /etc/monit/conf.d/openmediavault-proftpd.conf

Result: True

Comment: File /etc/monit/conf.d/openmediavault-proftpd.conf is not present

Started: 15:01:18.161782

Duration: 1.906 ms

Changes:

----------

ID: configure_monit_rrdcached_service

Function: file.managed

Name: /etc/monit/conf.d/openmediavault-rrdcached.conf

Result: True

Comment: File /etc/monit/conf.d/openmediavault-rrdcached.conf is in the correct state

Started: 15:01:18.164048

Duration: 26.139 ms

Changes:

----------

ID: configure_monit_system_service

Function: file.managed

Name: /etc/monit/conf.d/openmediavault-system.conf

Result: True

Comment: File /etc/monit/conf.d/openmediavault-system.conf is in the correct state

Started: 15:01:18.190571

Duration: 56.097 ms

Changes:

----------

ID: configure_default_monit

Function: file.managed

Name: /etc/default/monit

Result: True

Comment: File /etc/default/monit is in the correct state

Started: 15:01:18.247057

Duration: 7.296 ms

Changes:

----------

ID: configure_monit_monitrc

Function: file.managed

Name: /etc/monit/monitrc

Result: True

Comment: File /etc/monit/monitrc is in the correct state

Started: 15:01:18.254732

Duration: 54.959 ms

Changes:

----------

ID: test_monit_config

Function: cmd.run

Name: monit -t

Result: True

Comment: Command "monit -t" run

Started: 15:01:18.311854

Duration: 30.222 ms

Changes:

----------

pid:

17783

retcode:

0

stderr:

stdout:

Control file syntax OK

----------

ID: reload_monit_service

Function: service.running

Name: monit

Result: True

Comment: The service monit is already running

Started: 15:01:18.408792

Duration: 97.904 ms

Changes:

Summary for debian

-------------

Succeeded: 12 (changed=1)

Failed: 0

-------------

Total states run: 12

Total run time: 451.639 ms

----------

ID: test_nginx_service_config

Function: cmd.run

Name: nginx -t

Result: True

Comment: Command "nginx -t" run

Started: 15:01:18.512358

Duration: 55.569 ms

Changes:

----------

pid:

17792

retcode:

0

stderr:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

stdout:

----------

ID: restart_nginx_service

Function: service.running

Name: nginx

Result: True

Comment: The service nginx is already running

Started: 15:01:18.605429

Duration: 66.638 ms

Changes:

----------

ID: monitor_nginx_service

Function: module.run

Name: monit.monitor

Result: False

Comment: No function provided.

Started: 15:01:18.675591

Duration: 1.636 ms

Changes:

Summary for debian

------------

Succeeded: 6 (changed=4)

Failed: 2

------------

Total states run: 8

Total run time: 4.639 s in /usr/share/php/openmediavault/system/process.inc:182

Stack trace:

#0 /usr/share/php/openmediavault/engine/module/serviceabstract.inc(60): OMV\System\Process->execute()

#1 /usr/share/openmediavault/engined/rpc/config.inc(167): OMV\Engine\Module\ServiceAbstract->deploy()

#2 [internal function]: Engined\Rpc\Config->applyChanges(Array, Array)

#3 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)

#4 /usr/share/php/openmediavault/rpc/serviceabstract.inc(149): OMV\Rpc\ServiceAbstract->callMethod('applyChanges', Array, Array)

#5 /usr/share/php/openmediavault/rpc/serviceabstract.inc(588): OMV\Rpc\ServiceAbstract->OMV\Rpc\{closure}('/tmp/bgstatustK...', '/tmp/bgoutput9P...')

#6 /usr/share/php/openmediavault/rpc/serviceabstract.inc(159): OMV\Rpc\ServiceAbstract->execBgProc(Object(Closure))

#7 /usr/share/openmediavault/engined/rpc/config.inc(189): OMV\Rpc\ServiceAbstract->callMethodBg('applyChanges', Array, Array)

#8 [internal function]: Engined\Rpc\Config->applyChangesBg(Array, Array)

#9 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)

#10 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('applyChangesBg', Array, Array)

#11 /usr/sbin/omv-engined(537): OMV\Rpc\Rpc::call('Config', 'applyChangesBg', Array, Array, 1)

#12 {main}

Well I deleted the user 'Temp' and went in as the usual user that is also 'admin' on the webgui.

This user can access OMV via the GUI as 'admin' but he cannot access via the teminal/SSH.

So I checked the following:

- SSH root login: allowed

- admin PW: correct as it works. And it has always been the same as ''root'

- User groups: This one is in groups: users, root, adm, sudo, systemd-network, ssh, openmediavault config, openmediavault admin, openmediavault webgui. These are those I dentifies as potentially relevant amongst others.

So I'm adding the most recent error log after failed SSH login attempts: "not allowed because not listed in AllowUsers" makes me wonder. But I did check "SSH root login: allowed".

I have a feeling I may have missed something, but what...?!?

Apr 5 20:34:22 OMV sshd[21101]: User root from 192.168.7.33 not allowed because not listed in AllowUsers

Apr 5 20:34:33 OMV sshd[21101]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.7.33 user=root

Apr 5 20:34:35 OMV sshd[21101]: Failed password for invalid user root from 192.168.7.33 port 49394 ssh2

Apr 5 20:34:45 OMV sshd[21101]: Connection closed by invalid user root 192.168.7.33 port 49394 [preauth]

Hmm...

The output I received is this:

GBn@GB1:~$ ssh -vv root@192.168.7.33 -p112
OpenSSH_7.6p1 Ubuntu-4ubuntu0.6, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "192.168.7.33" port 112
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.7.33 [192.168.7.33] port 112.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/stephan/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/OMV/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/OMV/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/OMV/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/OMV/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/OMV/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/OMV/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/OMV/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.7.33:112 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:aqaHiutipodR+zN58NG/bI/es2l8jMxloFDxMw6hIp0
debug1: Host '[192.168.7.33]:112' is known and matches the ECDSA host key.
debug1: Found key in /home/OMV/.ssh/known_hosts:3
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /home/OMV/.ssh/id_rsa ((nil))
debug2: key: /home/OMV/.ssh/id_dsa ((nil))
debug2: key: /home/OMV/.ssh/id_ecdsa ((nil))
debug2: key: /home/OMV/.ssh/id_ed25519 ((nil))
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/OMV/.ssh/id_rsa
debug1: Trying private key: /home/OMV/.ssh/id_dsa
debug1: Trying private key: /home/OMV/.ssh/id_ecdsa
debug1: Trying private key: /home/OMV/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
root@192.168.7.33's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
root@192.168.7.33's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
root@192.168.7.33's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
root@192.168.7.33: Permission denied (publickey,password).

From what I read here, the host recognises the client,

Host '[192.168.7.33]:112' is known and matches the ECDSA host key.' and 'Found key in /home/OMV/.ssh/known_hosts:3'

but for some reason it won''t accept the PW. There are a few files missing at the beginning of the debug messages but I don't know if this is relevant.

I'd love to be able to open a terminal from the GUI when logged-in as 'admin'.

Oh I didn’t do the output of cat /etc/ssh/sshd_config because I was assuming I was meant to manage to be root first or I wouldn’t have the correct permissions.

With regards to where it is looking for the key:s:

This happens when you part copy, part type while on another machine and mix them…

The machine is /home/OMV/.ssh and GB1@GB1, so should be consistent.

Will check the cat input later and paste the output straight here. Off to work again first…

Hi,

Below is the output of cat /etc/ssh/sshd_config.

Root login is allowed and user OMV (together with the previously tested 'example') are permitted.

HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
AllowGroups root ssh
AllowUsers OMV example
AddressFamily any
Port 112
PermitRootLogin yes
AllowTcpForwarding no
Compression no
PasswordAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /var/lib/openmediavault/ssh/authorized_keys/%u
PubkeyAuthentication yes

So I looked into 'AllowGroups' and checked if user 'OMV' or 'example' is in group 'root'.

Below is cat /etc/passwd. If I'm correct, user 'OMV' or 'example' should be added to the group 'root'.

I thought I granted root access to both via the GUI...

But actually, I'm trying to login as root@... so no need to add any user to the group 'root'.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:111::/nonexistent:/usr/sbin/nologin
postfix:x:105:112::/var/spool/postfix:/usr/sbin/nologin
_chrony:x:106:114:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
proftpd:x:107:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:108:65534::/srv/ftp:/usr/sbin/nologin
_rpc:x:109:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:110:65534::/var/lib/nfs:/usr/sbin/nologin
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
avahi:x:112:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
openmediavault-webgui:x:999:996::/home/openmediavault-webgui:/usr/sbin/nologin
admin:x:998:100:WebGUI administrator:/home/admin:/usr/sbin/nologin
systemd-coredump:x:995:995:systemd Core Dumper:/:/usr/sbin/nologin
OMV:x:1000:100::/home/OMV:/usr/bin/bash
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
example:x:1001:1002:example,,,:/home/example:/bin/bash

Right, well I tried to edit it but without root privileges, this doesn't seem to work.

Any chance this can be done from the GUI?

Perfect!!!

The key to it all was that I could login as root with su root.

So added user 'root' to AllowUsers plus sudo ssh restart and et voila, I could logon as 'root'.

I had second thoughts about security then however as I noticed quite a few attempts on /var/log/auth.log that were denied from IPs that I do not recognise (which I once traced back somewhere to the other end of the world).

So I'm assuming 'root' is a default choice for a brute force attack, although a PW is still in the way.

Logging in as a user then go root is probably safer after all.

Thanks for the patience. Loving Linux systems even more now!

Well, well, I know what you say is technically correct and the better way to do it.

But the issue is that I can memorise a PW but not a key.

For a key I need to rely on hardware and I fear I can get into trouble if a HW issue locks me out.

So I could write it down somewhere as an emergency backup but that would again be counter-productive to the idea.

It's the age-old conflict between practicability and security.

I'm thinking of starting a new thread on this as I'm curious about some entries in the auth.log file (have I been hacked unsuccessfully?).

Understood but that's still the issue: If I lose the file or have a HDD crash on the client, I have no way to get in via this client.

I will need to read about options for this case still. Practically such situations usually occur when you don't need it, so the plan B then should be easy.