Arch Linux

x-yuri

Member

Registered: 2013-01-06

Posts: 161

[SOLVED] Why does ssh not let me in with an empty password on archiso?

Hi,

I've run into this issue, that I can't ssh into the machine booted from an Arch Linux Installer USB drive. `passwd -S` reports that no password is set. And in `/etc/ssh/sshd_config` I have:

PermitEmptyPasswords yes
PermitRootLogin yes

The error I get is:

PAM: Permission denied for root

I tried it not from the USB drive, and under the specified conditions (no password, those 2 `sshd` settings) it lets me in. So, sounds like something archiso-specific. And although I can probably work around it, I'd like to know the reason why it doesn't work from the USB drive. What makes it worse, I don't see a way to make pam more verbose. I'm going to provide more details later, but maybe that's enough for somebody to give the answer?

Last edited by x-yuri (2021-12-25 14:04:07)

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 76,378

Re: [SOLVED] Why does ssh not let me in with an empty password on archiso?

Are you sure there isn't more pam messaging in the journal? You should™ be told which module  rejects you.
Not sure about the iso condition, but if you edited /etc/ssh/sshd_config to allow the pwless root login, did you restart sshd?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

x-yuri

Member

Registered: 2013-01-06

Posts: 161

Re: [SOLVED] Why does ssh not let me in with an empty password on archiso?

Well, I rebooted the machine, redid the changes, and it worked So basically to make it work without password you need to change PermitEmptyPasswords to yes and restart sshd (systemctl reload sshd).

Thanks for the suggestions, anyway.

*UPD* About journalctl, that was from the output of a standalone sshd. In the journal in such a case you get:

Dec 25 15:52:04 archiso sshd[134836]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.90  user=root

Which is not very informative. To get more information you might want to install pam built with --enable-debug. Let me list the needed commands for what it's worth:

# pacman -S base-devel asp
# useradd -m u1
# echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/wheel
# usermod -aG wheel u1
# su - u1
$ asp checkout pam
$ cd pam/repos/core-x86_64
// PKGBUILD: add --enable-debug to the configure command
$ makepkg -si --skippgpcheck

`makepkg -efi` to rebuild and reinstall the package w/o destroying the src dir.

That will make some commands produce a lot of output, e.g. pacman and others. To make it go to a file, create `/var/run/pam-debug.log` with `a+rw`.

Last edited by x-yuri (2021-12-25 14:03:14)