Cannot SSH into root account

Hi,

The root password is the one you set when you deployed the distribution.

Adam

Check your sshd.conf file; this probably has "PermitRootLogin no" (or the "yes" line commented out) in it, rejecting remote root logins.

Under normal circumstances this is a good security principle; don't let people login as root except on the console. It may even be worth while on an linode if your linode account and root accounts have different passwords.

Hmm, I think that the password I'm typing in is correct. I found the following on ssh.com, and think this is causing my problem:

> One possible reason for authentication failure is that the remote host computer may have been configured to require several authentication methods to be used. For example both password and public key authentication could be used for increased security. Even if you entered your password correctly, some other required authentication method could have failed. A relatively common situation is one where the remote host computer is expecting public-key authentication and you have not sent your public key to the host.

I haven't done anything on this yet on my Debian install. Has anyone got any instructions they can provide or links to a tutorial?

If I understand correctly:
* (1) You have successfully logged in to the machine on which your Linode is hosted and are therefore accessing the (virtual) console of your Linode.

(2) You are unable to log in as root on the virtual console.</list> 

If this is the case then sshd configuration has nothing to do with your inability to log in - ssh (on the Linode host) has successfully connected you to the (virtual) console (when you logged in to hostxx.linode.com) and has no part to play in authenticating logins at the virtual console.

It looks like either the password you are using is incorrect or something has gone seriously wrong with the authentication setup on your Linode.

Your inability to su from another account is likely due to the same cause. Many Linux flavours require regular users to be a member of a particular group (usually 'wheel', but it varies) before they are allowed to su, but if the authentication data for root is screwed up then su isn't going to work anyway.

Found a tutorial here:- http://www.suso.org/linux/tutorials/ssh.phtml

I'll try get this working later to see if it solves my problem.

If anyone else has similar links/info then please post them up :)

@pclissold:

If I understand correctly:
* (1) You have successfully logged in to the machine on which your Linode is hosted and are therefore accessing the (virtual) console of your Linode.

(2) You are unable to log in as root on the virtual console.</list> 

If this is the case then sshd configuration has nothing to do with your inability to log in - ssh (on the Linode host) has successfully connected you to the (virtual) console (when you logged in to hostxx.linode.com) and has no part to play in authenticating logins at the virtual console.

It looks like either the password you are using is incorrect or something has gone seriously wrong with the authentication setup on your Linode.

Your inability to su from another account is likely due to the same cause. Many Linux flavours require regular users to be a member of a particular group (usually 'wheel', but it varies) before they are allowed to su, but if the authentication data for root is screwed up then su isn't going to work anyway.

Looks like you posted this before my second post above!

Yes, thinking about it more then perhaps it has to do with 'wheel' or perhaps root password is after all incorrect (?).

I will investigate some more in Webmin…will keep you posted.

Sounds to me like you need to reset the root password.

Not being able to "su -" is a dead give-away since it doesn't sound like PermitRootLoign in sshd_conf or lack of tty0 in /etc/securetty for root console login. No idea about su's group requirements (never heard of that before)..

-Chris

I would definitely agree on the lack of ssh being at fault if you are only attempting to ssh in and then elevate your permissions to root using su -.

If you have not tampered with /etc/securetty and you cannot login as root from the login console obtained from sshing to the linode host, more than likely you simply have the wrong root password.

As far as group requirements for su, a good portion of linux distributions today are requiring a user be part of a particular group in order to su up to the root user, even if you know the password. This inhibits (not prevents) a rouge user from abusing use of a password they should not know. If ssh as root is disabled or set to without-password (i.e. key based only) and their user is not part of the special group required for su, it makes it significantly more difficult to abuse the knowledge if they cannot get to a console login such as the one available in a screen from lish on your linode host.

Look for a line similar to "auth required /lib/security/pamwheel.so useuid" in /etc/pam.d (or wherever your distribution keeps it's pam config files), that is of course assuming you are using pam. If this is the case, you need to add your regular user account to the wheel group in /etc/groups.

Hoping to take another look at this again tonight (European time).

If I need to reset the root password, how can I do this? Can it be done through Webmin, and if so how?

Thanks :)

@efc:

If I need to reset the root password, how can I do this? Can it be done through Webmin, and if so how?

FAQ's are your friend. http://www.linode.com/products/faq.cfm?id=4

I am not sure on using webmin to reset a root password, I only use bashmin. ;)

Heh, managed to reset using Webmin, so I'm in now! :)

Now trying to get SSL working for HTTPS, but I'm tearing my hair out!

Ah well, time to pack it in, Big Brother is on ;)

If everything goes wrong, then wouldn't it be possible to shut the machine down, modify the profile to give the kernel parameter "single", start it up, ssh into the console and then use "passwd" to change root's password from there? That seems like it would work.

Distros vary on what they do in "single" mode.

Another way would be to deploy a small Debian profile, add your old root disk image to /dev/ubdc, boot the debian profile, mount /dev/ubdc someplace, and hack away (copy the password field from Debian's /etc/shadow to the old root's /etc/shadow, or the like)…

-Chris

Sure am glad that I got it working so!

Just as a side note, while trying out some things to allow me login I recreated a new set of SSH RSA keys on my Debian host. That caused a 'middle man hacker attempt' message to appear on my SSH session which refused me connection. Eventually I figured out that my Mandrake ssh session config file had the old auth key - just edited the local Mandrake file using vi (I love vi!) and deleted the offending entry. I retried the SSH connection which then resent the new correct key which was stored on my local PC again - and then I was in. :)

Might come in useful if anyone else encounters this problem.