enable core password for direct terminal access and block ssh password access

[Ram Janovski]

I'm having some difficulty with passwordless core user on a coreos on VMware, since the VMware console (KVM-like terminal) is rendered useless with no password account.

what do you guys think about the following:

- set some strong password for core

- disable passwordless ssh by adding "PasswordAuthentication no" in sshd_config

this way I have terminal password for direct connection via VMware console but not compromising remote ssh security.

any thoughts? are there any security pitfalls that I'm missing?

[Alex Polvi]

Ram, we added a kernel command line arg "coreos.autologin". This will drop you on to the console automatically. 

You need to crack open the vmware image and edit the bootloader params... OR... try out our experimental new ISO, which does this for you: 

http://storage.core-os.net/coreos/amd64-usr/alpha/coreos_production_iso_image.iso

You can use the iso to run coreos-install to install to disk.

-Alex

[Michael Marineau]

It is also possible to use config drive with vmware to set a password:

https://github.com/coreos/coreos-cloudinit/blob/master/Documentation/config-drive.md

[Ram Janovski]

Thanks Alex,

Is it also included in the vmware zip by any chance? (http://storage.core-os.net/coreos/amd64-usr/alpha/coreos_production_vmware_insecure.zip)

[Alex Polvi]

Ram, yes, that will contain the vmdk, which you will have to mount and edit the kernel params. Using the ISO or the config-drive support that Mike mentioned would be easier and recommended.

-Alex

[Ram Janovski]

Thanks Alex,

is there a reason you're not adding it by default in the vmware images?

[Michael Marineau]

We don't add the autologin flag by default in images other than the ISO because we don't know enough about the final deployment to know if it is safe to do so. Similarly, shipping an insecure ssh key in the current vmware image is just a temporary hack until we have config drive or some other configuration scheme working reliably on vmware since that is pretty clearly not safe. :)

I don't know it it is in the current release or will be the next but I've nudged up the bootloader timeout to make it easier to catch and add that or other kernel options yourself. If not just hold down a key like space in the vga or serial console as the machine starts to catch the bootloader before it loads the kernel. Then at the prompt do something like:

    boot: boot_kernel coreos.autologin

[lypanov]

Is there a non alpha version of this ISO around? I'm using it to get everything working in Hyper-V but only ever getting errors (waited a few weeks hoping things would clear up).

Currently after running core-install from the ISO into a new machine I'm running into a blocking issue with docker not starting due to "not a btrfs FS" errors. lsb-release says 310.1.0.

Did I just get exceptionally unlucky with the alphas or should I be running another image?

Thank you!

Alex

[Michael Marineau]

Are you getting the docker error while using the ISO or after booting the image installed to disk? Docker isn't going to work while running from the ISO unless you enable the experimental feature of using btrfs in ram instead of tmpfs by passing rootfstype=btrfs on the kernel command line. If you are getting that error after booting the installed system that's a problem, in which case please post the log from journalctl.

[Alexander Kellett]

PEBCAVK (problem exists between computer and (virtual) keyboard) problem alas. My Hyper-V automation script wasn’t ejecting the CoreOS install disk. Thank you for the detailed response, it led me to the realization that my root was in tmpfs.

Trimis de la Windows Mail

De la: Michael Marineau
Trimis: ‎joi‎, ‎8‎ ‎mai‎ ‎2014 ‎19‎:‎22
Către: coreos-dev

[Tom Deckers]

Thanks for this tip. I've created a quick demo of the approach: https://www.youtube.com/watch?v=FoLhUi2B93U

[Grant Ellis]

My apologies for dredging up this old thread! I have a related requirement (v1185.5.0): I need to enable password login directly from the console, but only key login via SSH. Unfortunately, for my purposes, the autologin feature will not work because a password is required. That is, I need to provision CoreOS so that users can log in via SSH using a keypair (but not a password), and can also login from the physical console using a password.

I have already created a user "admin" with a known password, but it still will not me log into the console with this user. SSH login works just fine with this user.

Thanks for your help!