New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hetzner root password reset
I am trying to reset the root password for one of the servers hosted on hetzner
I followed this guide
https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system/
Activated the rescue system and followed all the steps but
I am getting error when I run following command
chroot-prepare /mnt
Error message reads
'/mnt/run/lock': File already exists
If i skip that command and move forward it goes smoothly
however the new password doesn't work even after restart
Any help will be appreciated
Comments
Are you sure you're actually running
passwdinside the chroot? You might be just changing the rescue system's passwordYes pretty sure. I can even see command history which is not from the rescue system
Were you able to confirm that
/etc/shadowwas updated after runningpasswd?XY Problem perhaps, does your sshd config allow password logins?
How can i verify both the things?
In the rescue system after chroot-ing, look at the contents of
/etc/shadowbefore and after runningpasswd, this stores your password hash and therefore should change after you change your password. Look for a line likeyourusername:{LONGASSSTRING}::::.To check if sshd allows password logins assuming you're using root, check if you have a
PermitRootLoginline in your/etc/ssh/sshd_config(obviously after chroot-ing). If you want to allow passwords (you should be using keys tho) this should bePermitRootLogin yesinstead ofPermitRootLogin prohibit-password.I checked both the things
1) Hash key is getting updated when I change the password in shadow file. Also I had added another user earlier and I can see it under the list but can't login using that
2) PermitRootLogin is set to yes
Could it be due to some IP blocking? even though I tried from a different IP address but is there a way to verify that through the rescue system ?
using
-vmight helpSorry where do I need to use that switch ?
I am using putty.
ran it through windows powershell and got this error after entering the password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
do it like this
-vvvdebug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
ls -la /dev/ttygives me
crw-rw-rw- 1 root tty 5, 0 Jul 27 23:02 /dev/ttyThere is no IP blocking
go back to rescue and mount your root drive
mount /dev/mdX /mntcd /mnt/root ; ls -lhaand paste the output
this is from chroot /mnt
total 88K
dr-xr-x---. 6 root root 4.0K Jul 19 15:32 .
drwxr-xr-x 20 root root 4.0K Jul 20 15:56 ..
drwx------ 7 root root 4.0K Jul 19 14:51 .acme.sh
-rw-r--r-- 1 root root 1.6K Jul 19 14:19 .bash_cwp
-rw------- 1 root root 4.1K Jul 27 22:47 .bash_history
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 195 Jul 19 14:19 .bash_profile
-rw-r--r--. 1 root root 244 Jul 19 14:51 .bashrc
-rw-r--r--. 1 root root 136 Jul 19 14:51 .cshrc
drw------- 2 root root 4.0K Jul 20 15:42 .cwp_sessions
-rw------- 1 root root 41 Jul 19 14:19 .my.cnf
drwxr----- 3 root root 4.0K Jul 19 14:18 .pki
-rw------- 1 root root 1.0K Jul 20 14:11 .rnd
-rw-r--r-- 1 root root 1.1K Jul 19 15:13 server.example.com.csr
-rw-r--r-- 1 root root 1.8K Jul 19 15:13 server.tcotunirestaret.com.key.org
drwx------. 2 root root 4.0K Apr 6 13:02 .ssh
-rw-r--r-- 1 root root 1.1K Jul 19 15:32 static.24.5.90.157.clients.your-serve r.de.csr
-rw-r--r-- 1 root root 1.8K Jul 19 15:32 static.24.5.90.157.clients.your-serve r.de.key.org1
-rw-r--r-- 1 root root 1.1K Jul 19 14:19 example.com.csr
-rw-r--r-- 1 root root 1.8K Jul 19 14:19 example.com.key.org
-rw-r--r--. 1 root root 165 Jul 19 14:51 .tcshrc
.ssh folder seems intact
cd into .ssh and check if there is an authorized_key file there with a public key
also check your sshd_config file for
PasswordAuthenticationif it's set to
nochange it toyesand reboot to disk
.ssh folder is empty and passwordauthentication was yes
Rebooted to disk still no luck
looks like you are using CWP
go to the web interface and make sure that you are editing the right sshd file
I don't know how CWP handles it but it could be using
AllowGroupsand/orAllowUserscheck the sshd if these two options are on or notI'm assuming it doesn't even try asking for your password since it can't open a tty
Your terminal seems borked, what are you using to ssh? PuTTY, Command Prompt+OpenSSH?
he is using Command Prompt+OpenSSH I asked him to do
-vvvso he went to the Powershell to SSHI would assume that the path of the ssh client inside Powershell is incorrect and can't find the right PATH
how about checking the logfiles while in rescue mode?
f.i. check auth.log (from mounted disk) to see if and why the connection might have been denied.
it's either something like AllowUsers as @SeederKun pointed out or a password with special chars that won't translate well when typed in VNC/IPMI vs local ssh client.
I checked the log files and I got following error
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"So I guess you were right it's something to do with allowusers. I was able to trace it in pam file /etc/pam.d/system-auth
requisite pam_succeed_if.so uid >= 1000 quiet_successI read somewhere if I disable it so it will work for time being until autoconfig hits again.
how can I disable this permanently ?
did you check sshd_config file for
AllowUsersorAllowGroups?All though I think that CWP don't allow root SSH access using PAM restriction
you can disable this behavior but I wouldn't recommend doing so
chroot into disk and add another user for remote shell by
adduser pavanput a strong password
make sure it's been added to
/etc/shadowand/etc/passwdreboot to disk
use that user with PuTTY and see if it works
doing
suafter that should allow you to switch to rootdon't. simply do not use root to login directly, esp. not with password auth. CWP disables this for a reason and it's bad practise anyway
as @SeederKun recommends at least add an unprivileged user which you use just for logging in and become root from there.
after all nothing wrong with your password and the way you changed it in rescue mode, that's some good news ;-)
i ended up reinstalling the OS. It was getting too complicated. Thanks a lot for all your help. I really appreciate it
you're welcome, however, your problem most likely will come back, if you install CWP and it sets the same security things, which will then again prevent you from logging in as root directly.
you really should create an unprivileged user anyway to login via ssh and only become root from there afterwards.