Installation on a headless remote device failed and completely locked me out of ssh access

1. offizieller Beitrag

    Hi,


    I probably did something stupid. Last week-end I installed a fresh raspbian on a raspberry3 in a remote location which I want to use for Backup over VPN. I configured the VPN and left the (headless) machine running. The location is 2.5h by car from my home. Then, I drove home and before going to bed I started the OMV installation from my home via ssh shell to the account I had created on that machine.


    To my surprise, the next day I cannot log in (via ssh) to the raspberry any longer. It seems the OMV installer has changed the password (?) or even removed (??) the user account that I had created on the machine - is that possible?


    I then tried to access to the web interface. That worked! And with "admin" and "openmediavault" I could even log into the system. However... that web interface is completely empty. I get a Menu with which I was able to set the language and change the password for "admin". But... I cannot log in via ssh to the machine, user admin and that new password don't seem to work for ssh. And I also cannot do anything on the web interface, as the "Select All" section of "Dashboard" to "Select Widgets" is actually completely empty.


    I fear I am now completely stuck and cannot even reboot or shut down that machine without driving 2.5 hours. Any ideas?

    <X

  • dg1sek

    Hat den Titel des Themas von „Installation on a headless remote device failed“ zu „Installation on a headless remote device failed and completely locked me out of ssh access“ geändert.

    Have you been using a new Raspbian where you need to set user and password instead of pi? There have been cases where this new user has not been put into the group ssh.


    But can you try to clear your browser cache and see, ich you can get to the menu? Then create a new user, put it into group ssh and you can use it for ssh. admin is not in the group ssh.


    Do you have some logs what goes sideways whan trying to log in via ssh?


    ssh -vv user@server wil give more info

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Thanks for your answer.

    ssh -vv admin@server as well as ssh --vv dg1sek@server (that is the account I was using before and on which ssh was working fine) both give the same "permission denied" result in the log:


    Code
    debug1: Next authentication method: password
admin@10.8.0.7's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
admin@10.8.0.7's password: 


    As for using a browser with clean cache, I tried that, and I also tried to connect from another Raspberry. What i get is always this. How could I add a new user?


    I almost can't believe the install script would have deleted my existing user account(s) on the remote machine - can that really be?


    Are you sure, you are using the admin account to log into the ui?

    If yes, I am out of ideas.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Yes, I am using "admin", it's the only account that actually worked. My impression is that my previous user account (the one I was using to log in to run the install script) has been closed down by the install script. If that would show true, it would be really a very bad design. But right now from distance I don't see what else might have happened. sshd is still there as I do get the password prompt etc, but impossible to log in!

    omv changes the sshd config to only allow access for users in group ssh.

    It puts the user running the install in thos group. This may have not worked for you or you were using root to do the install.


    Normally not problematic, if you can use the web ui.


    Admin is not in ssh group and not allowed to log in.


    Did you try root?

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Gefällt mir 2
    Zitat von dg1sek

    My impression is that my previous user account (the one I was using to log in to run the install script) has been closed down by the install script

    No, the script would never do this.


    As for access with root, on the Pi image there's no root password unless it's created on CLI.

    That makes it difficult to login via SSH with root (I don't think you can do it passwordless by default).


    Funny is that I also am blocked out from Wireguard ATM to my home LAN.

    Don't know what happened but only when I get home, I can see what is going and I'm 2500Kms away.


    What you need to do (when getting back to the server) is testing everything locally to see if it really works.

    Flash a Lite image and make sure your user is on sudo,ssh and that you can login remote.

    Then install the script and configure everything while on site to know that it's OK.


    Configure the VPN and again, make sure that you can access in all possible situations.


    And for a fail-safe access, make a portforward from WAN port XXXX to LAN port XXXX (set SSH on the GUI to XXXX) in case you're locked out of VPN.

    (This is also valid for me, since I had it and deactivated it)

    Zitat von Soma

    Funny is that I also am blocked out from Wireguard ATM to my home LAN.

    Don't know what happened but only when I get home, I can see what is going and I'm 2500Kms away.

    Well, just a follow up on this statement just to show that some times, the solutions are simple (in this case)


    I had the endpoint on the wireguard clients pointing to a NoIP address that wasn't updated for more than 2 months.

    It was still binded to an old IP I had and, of course, it was clashing.

    After changing the endpoint to the proper WAN IP, presto, Wireguard back in business. (and SSH to LAN)


    dg1sek

    Have you any development on your situation?

    A month later I finally got to physically access that raspberry.

    The problem was that, for reasons I cannot understand, somehow the openmediavault installation script must have modified the assignments of users in /etc/passwd to groups. And in particular my admin and user accounts were removed from the ssh group. Because of that, I couldn't log in any longer from remote.

    Solution was to connect a keyboard and a monitor to the Raspberry Pi and then manually edit /etc/passwd to add ssh as group again.

    Next problem I face now is that the installation also deactivated the graphical UI of the raspberry and I cannot connect into this headless machine via VNC any longer.

    • Offizieller Beitrag
    Zitat von dg1sek

    The problem was that, for reasons I cannot understand, somehow the openmediavault installation script must have modified the assignments of users in /etc/passwd to groups. And in particular my admin and user accounts were removed from the ssh group. Because of that, I couldn't log in any longer from remote.

    There is nothing in the installation script or omv install process that would remove random users from the ssh group. Even the admin user which OMV creates would not be modified if it already existed. Most people get locked out of ssh because their user is not in the ssh group and OMV changes the ssh config to require users to be in the ssh group. The install script will put the calling user (unless root) in the ssh group but never remove a user. Did you not know the root password? ssh should be available to root with being in ssh group by default.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.6 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Zitat

    Most people get locked out of ssh because their user is not in the ssh group and OMV changes the ssh config to require users to be in the ssh group. The install script will put the calling user (unless root) in the ssh group but never remove a user. Did you not know the root password? ssh should be available to root with being in ssh group by default.

    Ahhh! That's the explanation then! Thanks!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden