New OpenSuSE Tumbleweed cannot ssh in

Problem: I’ve installed OpenSuSE Tumbleweed fresh on new hardware, and I cannot log in as root with ssh. The solution is three steps.

I should also mention the symptoms: I could try to log in with ssh root@host and I would get prompted for the password – as if it was going to work. But no matter how many times I put in the password, I would simply get prompted to enter the Password again, as if I had typed it wrong.

I used an ISO of OpenSuSE Tumbleweed and the super easy to use Imagewriter to make a bootable USB. I installed openSuSE Tumbleweed fresh, with the option to delete every existing disk partition no matter what: this is about the simplest OpenSuSE Tumbleweed install I can make. Oh, and I installed it as a server install, without a graphical user environment. It’s going to be a Nextcloud server. Actually, the whole idea of installing Tumbleweed for a server was a bad idea. I’m going to wipe it and install OpenSuSE Leap. Problem is, I’d like to install and configure and the database and Nextcloud from the machine I’m typing this on, and not from the text console attached to the physical hardware. For that, I’m going to need ssh.

Care to guess what doesn’t work out of the box?

Solution:

  1. cp /usr/etc/ssh/sshd_config /etc/ssh/
  2. edit sshd_config and change the following
    • PermitRootLogin yes
    • PasswordAuthentication yes
  3. reboot now

So, apparently the idea is that allowing root to ssh in with “just” a password is a bad idea. This is why the default settings were changed to make it not work. But this does leave us with a bit of the “pulling ourselves up by our bootstraps” problem: how can I use ssh-copy-id root@host if I cannot complete the operation by logging in as root?

We’ve got to be able to authenticate before the keys can be copied up; otherwise any random bad guy would load their keys in. But if we’re not allowed to authenticate “because passwords are bad”, then we’re not allowed to authenticate….

This is way less of a problem if I’m working on a virtual machine. VMs have a virtual console, and opening that is trivial. I can log in as if I were on the physical console at the same time I have web pages open searching for the way to fix this problem.

But today’s case wasn’t a virtual machine – it was a physical machine in the other room. Without a web browser.

Well, okay, sure, I could install Lynx, but last time I tried, most web sites (including Google) didn’t work. I’m pretty sure the text ssh session doesn’t have a clipboard I could copy/paste “/usr/etc/ssh/sshd_config” to and from, either. But I digress.

The other minor pain point is that there are many articles on the Internet that talk about the PermitRootLogin option and the PasswordAuthentication option. But they say to edit the file: /etc/ssh/sshd_config

That file doesn’t exist there, in a freshly minted ISO from OpenSuSE. They moved it to /usr/etc/ssh because that’s where packages place these files. If someone in the sshd project comes up with a better version, this is where the updated configuration file can be put (without warning) because users are not supposed to store user data in /usr. It’s too much of a hassle to then copy the default file from /usr to /etc without clobbering the user supplied updates: so they don’t. That’s up to me.

But it does mean that the config file I need to edit isn’t there. Gee, thanks.

Now that I have the ssh key copied up to the new server, I’ll go ahead and turn off the root-allowed-to-log-in-with-a-password option.

But man what a PITA it was to get to this point.

Leave a Reply