New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hetzner root password reset
I am trying to reset the root password for one of the servers hosted on hetzner
I followed this guide
https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system/
Activated the rescue system and followed all the steps but
I am getting error when I run following command
chroot-prepare /mnt
Error message reads
'/mnt/run/lock': File already exists
If i skip that command and move forward it goes smoothly
however the new password doesn't work even after restart
Any help will be appreciated
Comments
Are you sure you're actually running
passwd
inside the chroot? You might be just changing the rescue system's passwordYes pretty sure. I can even see command history which is not from the rescue system
Were you able to confirm that
/etc/shadow
was updated after runningpasswd
?XY Problem perhaps, does your sshd config allow password logins?
How can i verify both the things?
In the rescue system after chroot-ing, look at the contents of
/etc/shadow
before and after runningpasswd
, this stores your password hash and therefore should change after you change your password. Look for a line likeyourusername:{LONGASSSTRING}::::
.To check if sshd allows password logins assuming you're using root, check if you have a
PermitRootLogin
line in your/etc/ssh/sshd_config
(obviously after chroot-ing). If you want to allow passwords (you should be using keys tho) this should bePermitRootLogin yes
instead ofPermitRootLogin prohibit-password
.I checked both the things
1) Hash key is getting updated when I change the password in shadow file. Also I had added another user earlier and I can see it under the list but can't login using that
2) PermitRootLogin is set to yes
Could it be due to some IP blocking? even though I tried from a different IP address but is there a way to verify that through the rescue system ?
using
-v
might helpSorry where do I need to use that switch ?
I am using putty.
ran it through windows powershell and got this error after entering the password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
do it like this
-vvv
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
ls -la /dev/tty
gives me
crw-rw-rw- 1 root tty 5, 0 Jul 27 23:02 /dev/tty
There is no IP blocking
go back to rescue and mount your root drive
mount /dev/mdX /mnt
cd /mnt/root ; ls -lha
and paste the output
this is from chroot /mnt
total 88K
dr-xr-x---. 6 root root 4.0K Jul 19 15:32 .
drwxr-xr-x 20 root root 4.0K Jul 20 15:56 ..
drwx------ 7 root root 4.0K Jul 19 14:51 .acme.sh
-rw-r--r-- 1 root root 1.6K Jul 19 14:19 .bash_cwp
-rw------- 1 root root 4.1K Jul 27 22:47 .bash_history
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 195 Jul 19 14:19 .bash_profile
-rw-r--r--. 1 root root 244 Jul 19 14:51 .bashrc
-rw-r--r--. 1 root root 136 Jul 19 14:51 .cshrc
drw------- 2 root root 4.0K Jul 20 15:42 .cwp_sessions
-rw------- 1 root root 41 Jul 19 14:19 .my.cnf
drwxr----- 3 root root 4.0K Jul 19 14:18 .pki
-rw------- 1 root root 1.0K Jul 20 14:11 .rnd
-rw-r--r-- 1 root root 1.1K Jul 19 15:13 server.example.com.csr
-rw-r--r-- 1 root root 1.8K Jul 19 15:13 server.tcotunirestaret.com.key.org
drwx------. 2 root root 4.0K Apr 6 13:02 .ssh
-rw-r--r-- 1 root root 1.1K Jul 19 15:32 static.24.5.90.157.clients.your-serve r.de.csr
-rw-r--r-- 1 root root 1.8K Jul 19 15:32 static.24.5.90.157.clients.your-serve r.de.key.org1
-rw-r--r-- 1 root root 1.1K Jul 19 14:19 example.com.csr
-rw-r--r-- 1 root root 1.8K Jul 19 14:19 example.com.key.org
-rw-r--r--. 1 root root 165 Jul 19 14:51 .tcshrc
.ssh folder seems intact
cd into .ssh and check if there is an authorized_key file there with a public key
also check your sshd_config file for
PasswordAuthentication
if it's set to
no
change it toyes
and reboot to disk
.ssh folder is empty and passwordauthentication was yes
Rebooted to disk still no luck
looks like you are using CWP
go to the web interface and make sure that you are editing the right sshd file
I don't know how CWP handles it but it could be using
AllowGroups
and/orAllowUsers
check the sshd if these two options are on or notI'm assuming it doesn't even try asking for your password since it can't open a tty
Your terminal seems borked, what are you using to ssh? PuTTY, Command Prompt+OpenSSH?
he is using Command Prompt+OpenSSH I asked him to do
-vvv
so he went to the Powershell to SSHI would assume that the path of the ssh client inside Powershell is incorrect and can't find the right PATH
how about checking the logfiles while in rescue mode?
f.i. check auth.log (from mounted disk) to see if and why the connection might have been denied.
it's either something like AllowUsers as @SeederKun pointed out or a password with special chars that won't translate well when typed in VNC/IPMI vs local ssh client.
I checked the log files and I got following error
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
So I guess you were right it's something to do with allowusers. I was able to trace it in pam file /etc/pam.d/system-auth
requisite pam_succeed_if.so uid >= 1000 quiet_success
I read somewhere if I disable it so it will work for time being until autoconfig hits again.
how can I disable this permanently ?
did you check sshd_config file for
AllowUsers
orAllowGroups
?All though I think that CWP don't allow root SSH access using PAM restriction
you can disable this behavior but I wouldn't recommend doing so
chroot into disk and add another user for remote shell by
adduser pavan
put a strong password
make sure it's been added to
/etc/shadow
and/etc/passwd
reboot to disk
use that user with PuTTY and see if it works
doing
su
after that should allow you to switch to rootdon't. simply do not use root to login directly, esp. not with password auth. CWP disables this for a reason and it's bad practise anyway
as @SeederKun recommends at least add an unprivileged user which you use just for logging in and become root from there.
after all nothing wrong with your password and the way you changed it in rescue mode, that's some good news ;-)
i ended up reinstalling the OS. It was getting too complicated. Thanks a lot for all your help. I really appreciate it
you're welcome, however, your problem most likely will come back, if you install CWP and it sets the same security things, which will then again prevent you from logging in as root directly.
you really should create an unprivileged user anyway to login via ssh and only become root from there afterwards.