1

I'm trying to start SSH server on a minimal Fedora installation. And I mean really minimal: one that is produced by diskimage-builder ramdisk builder. It does not even have users (absent /etc/passwd etc).

So, now I'm trying to run sshd on such a system. During the build I copy /etc/{passwd,group,shadow} from a minimal (hmm.. less minimal) system. I also pregenerate host keys and sshd_config:

PermitRootLogin yes
UsePAM no
UseDNS no
UsePrivilegeSeparation no
PasswordAuthentication yes
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

(full script). In the ramdisk I set root password via chpasswd and start SSHd with

/sbin/sshd -p $SSH_PORT

(SSH_PORT being 22 for now - default one). And after the ramdisk boots and reports back, I try to log in. Here fun starts:

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
root@192.0.2.114's password: 
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
root@192.0.2.114's password:

In ssh logs on a server I see

debug1: userauth-request for user root service ssh-connection method password
Could not get shadow information for NOUSER
Failed password for invalid user root from 192.0.2.1 port 38734 ssh2

So despite everything I tried, user 'root' stays invalid. Any ideas are appreciated.

chicks
  • 3,793
  • 10
  • 27
  • 36
Divius
  • 11
  • 1
  • 1
  • 2

2 Answers2

3

Perhaps you didn't see this comment in the default sshd_config file?

# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.

On Fedora and Red Hat, you must enable PAM authentication.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • 2
    There's no PAM on these ramdisks. Also "cause several problems" does not mean "ok, we broke everything in a strange way" to me... – Divius Jan 30 '15 at 13:49
  • 1
    Well, that certainly explains why you can't authenticate. – Michael Hampton Jan 30 '15 at 13:51
  • 2
    sorry, but that does not. There was authentication in Unix much before PAM was invented. And presence of UsePAM=no option definitely says that sshd should work without it somehow... – Divius Jan 30 '15 at 19:38
3

I suppose you must have solved your problem long time ago by now?

I have the same type of setup but on Debian, not Fedora, minimal linux no PAM etc and stumbled on this problem. google wasn't helpful, after downloading open SSH sources I found that sshd, in absence of PAM uses a glibc function, getpwnam(), in the authentication process. This function, no doubt, is super generic and helpful in any type of environment but it would not resort to checking the /etc/passwd and friends if libnss_files.so.* wasn't installed.

Adding this library to my minimal linux fixed the problem for me. I'm curious to know the reason in your case?

Slipeer
  • 3,295
  • 2
  • 21
  • 33
Kerstin
  • 31
  • 2