Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to log in using password #846

Open
HouMinXi opened this issue Feb 28, 2025 · 1 comment
Open

Failed to log in using password #846

HouMinXi opened this issue Feb 28, 2025 · 1 comment

Comments

@HouMinXi
Copy link

Container file as below

FROM quay.io/fedora/fedora-bootc:41
ADD http://lab-02.rhts.eng.rdu.redhat.com/beaker/anamon3 /usr/local/sbin/anamon
RUN chmod 755 /usr/local/sbin/anamon
COPY beaker-harness.repo /etc/yum.repos.d/beaker-harness.repo
RUN dnf install -y restraint audit && dnf -y clean all

build the image

podman build -t image_mode_mhou_f41:latest -f Containerfile .
cat config.toml
[[customizations.user]]
name = "root"
password = "redhat"
groups = ["wheel"]
# podman run     --rm     -it     --privileged     --pull=newer  --tls-verify=false   --security-opt label=type:unconfined_t     -v ./config.toml:/config.toml:ro     -v "./output":/output     -v /var/lib/containers/storage:/var/lib/containers/storage     "quay.io/centos-bootc/bootc-image-builder:latest"     --type raw    --tls-verify=false    --rootfs "xfs"     --local     "localhost/image_mode_mhou_f41"

start a guest image and try to login

/usr/libexec/qemu-kvm \
    -name mhou-vm \
    -enable-kvm \
    -cpu host \
    -m 2G \
    -drive file="root/image/disk.raw",if=virtio,format=raw \
    -net nic,model=virtio \
    -net user,hostfwd=tcp::2222-:22 \
    -display none \
    -daemonize

ssh -p 2222 root@localhost #failed to using root/redhat to login.

podman info output as below

# podman info
host:
  arch: amd64
  buildahVersion: 1.37.6
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-1.el9.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: c0564282e9befb7804c3642230f8e94f1b2ba9f8'
  cpuUtilization:
    idlePercent: 99.98
    systemPercent: 0.01
    userPercent: 0.01
  cpus: 64
  databaseBackend: sqlite
  distribution:
    distribution: rhel
    version: "9.5"
  eventLogger: journald
  freeLocks: 2048
  hostname: dell-per760-08.rhts.eng.pek2.redhat.com
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.14.0-503.29.1.el9_5.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 126245384192
  memTotal: 133979136000
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.2-1.el9_5.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark-1.12.2-1.el9.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: crun-1.16.1-1.el9.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.16.1
      commit: afa829ca0122bd5e1d67f1f38e6cc348027e3c32
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240806.gee36266-6.el9_5.x86_64
    version: |
      pasta 0^20240806.gee36266-6.el9_5.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.3.1-1.el9.x86_64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 4294963200
  swapTotal: 4294963200
  uptime: 34h 17m 22.00s (Approximately 1.42 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 75094818816
  graphRootUsed: 9998528512
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 8
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.2.2
  Built: 1737721907
  BuiltTime: Fri Jan 24 07:31:47 2025
  GitCommit: ""
  GoVersion: go1.22.9 (Red Hat 1.22.9-2.el9_5)
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.2
@miabbott
Copy link

I think this more about the defaults of sshd not allowing root logins with a password.

$ podman run --rm -it quay.io/fedora/fedora-bootc:41 cat /etc/ssh/sshd_config | grep PermitRootLogin
#PermitRootLogin prohibit-password

Since that is commented out, I suspect it is using the default value. The defaults according to man page says:

       PermitRootLogin
               Specifies whether root can log in using ssh(1).  The argument must be yes, prohibit-password, forced-commands-only, or no.  The default is prohibit-password.

               If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root.

               If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed).  All other authentication methods are disabled for root.

               If this option is set to no, root is not allowed to log in.

I would inject an SSH key for the root user during build time and try logging in with the SSH key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@miabbott @HouMinXi