Password authentication no longer allowed in the centos7 marketplace image?

marcindulak · January 30, 2018, 6:08pm

For testing installations I used to do the following with the centos7 image:

oneimage create --name testvm --path http://marketplace.opennebula.systems/appliance/4e3b2788-d174-4151-b026-94bb0b987cbb/download --datastore default --prefix vd --driver qcow2
onetemplate create --name testvm --cpu 1 --vcpu 1 --memory 256 --arch x86_64 --disk testvm --nic private --vnc --ssh --net_context'
echo CONTEXT = [ USERNAME = root, PASSWORD = password, NETWORK = YES  ] > context.one
onetemplate update testvm -a context.one
onetemplate instantiate testvm

Currently this still results in a template that lists password authentication, but I’m unable to login (from vnc console, or over ssh - it hangs) with root/password to the VM.

[oneadmin@frontend ~]$ onetemplate show 0
TEMPLATE 0 INFORMATION                                                          
ID             : 0                   
NAME           : testvm              
USER           : oneadmin            
GROUP          : oneadmin            
REGISTER TIME  : 01/30 17:23:16      

PERMISSIONS                                                                     
OWNER          : um-                 
GROUP          : ---                 
OTHER          : ---                 

TEMPLATE CONTENTS                                                               
CONTEXT=[
  NETWORK="YES",
  PASSWORD="password",
  USERNAME="root" ]
CPU="1.0"
DISK=[
  IMAGE="testvm" ]
GRAPHICS=[
  LISTEN="0.0.0.0",
  TYPE="vnc" ]
MEMORY="256"
NIC=[
  NETWORK="private" ]
OS=[
  ARCH="x86_64" ]
VCPU="1"

Is it my mistake or maybe the password authentication has been disabled in the image?

I thought the images don’t change but a new image will get a new ID.

vholer · January 31, 2018, 11:23am

Hello,

you are right, this has changed in the last release of the Marketplace images. The images weren’t unified, some of them allowed the SSH password authentication, some of them didn’t. For the security reasons, all were reconfigured to the same settings, not to allow password authentication over SSH and use the public key authentication.

Setting the PASSWORD is only usable for the interactive console login via VNC.

You can always customize the instance by using START_SCRIPT, and reconfigure in any way you like. E.g.:

CONTEXT = [
  NETWORK = "YES",
  PASSWORD = "SecretPassword",
  START_SCRIPT = "
sed -i -e 's/PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i -e 's/PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
" ]

… this would allow the SSH password authentication.

Best regards,
Vlastimil Holer

marcindulak · February 3, 2018, 2:26am

For reference, in my case UseDNS no was necessary in /etc/ssh/sshd_config:

$ cat context.one 
CONTEXT = [ USERNAME = root, PASSWORD = password, NETWORK = YES, START_SCRIPT = "sed -i -e 's/.*PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config&& sed -i -e 's/.*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config&& sed -i -e 's/.*UseDNS .*/UseDNS no/' /etc/ssh/sshd_config&& systemctl restart sshd" ]

Topic		Replies	Views
Add PASSWORD contextualization string from user input Community Support	5	852	June 5, 2021
How to set root password for guest OS image without using SSH Key? Community Support	3	2237	June 30, 2018
Init scripts missing from context CDROM after VM conf update trough Sunstone Community Support	1	583	April 22, 2019
Per instance contexts Community Support	4	956	August 24, 2015
Proper way to access to appliance through ssh? Community Support	1	546	April 8, 2017

Password authentication no longer allowed in the centos7 marketplace image?

Related Topics