| 13 Apr 2022 |
 @elvishjerricco:matrix.org | Oh, it's User root not allowed because account is locked | 10:20:50 |
 @janne.hess:helsinki-systems.de | oh no | 10:20:57 |
| @elvishjerricco:matrix.org | Because we used SYSTEMD_SULOGIN_FORCE=1 instead | 10:20:59 |
| @elvishjerricco:matrix.org | and I have emergencyAccess = true instead of a hashed password | 10:21:27 |
| @elvishjerricco:matrix.org | Janne Heß: Is there a good reason for SYSTEMD_SULOGIN_FORCE=1 rather than just an empty hashed password? | 10:21:51 |
| @janne.hess:helsinki-systems.de | In reply to @elvishjerricco:matrix.org
Janne Heß: Is there a good reason for SYSTEMD_SULOGIN_FORCE=1 rather than just an empty hashed password? an empty password never allows logging in iirc | 10:22:07 |
| @janne.hess:helsinki-systems.de | if I understood it wrong and you can log in with an empty password, then an empty password makes more sense | 10:22:24 |
| @elvishjerricco:matrix.org | I know there's a way to do empty password | 10:22:36 |
| @elvishjerricco:matrix.org | Oh wait, was that ! instead of any hash? | 10:22:43 |
| @janne.hess:helsinki-systems.de |
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).
| 10:23:25 |
 @lvkm:matrix.org | In reply to @janne.hess:helsinki-systems.de
UsePAM no (shoudn't) doesn't work: the openssh service module sets UsePAM with mkOrder 0, and sshd uses the first found key | 10:24:00 |
| @janne.hess:helsinki-systems.de | btw, the flatcar network stuff seems to be in https://github.com/flatcar-linux/init/tree/flatcar-master/systemd | 10:24:05 |
| @elvishjerricco:matrix.org | In reply to @lvkm:matrix.org
(shoudn't) doesn't work: the openssh service module sets UsePAM with mkOrder 0, and sshd uses the first found key Not currently using that module | 10:24:13 |
| @lvkm:matrix.org | oh, i guess i skimmed to much text | 10:24:44 |
| @elvishjerricco:matrix.org | In man configuration.nix, the docs for users.users.<name>.hashedPassword says "If set to an empty string (""), this user will be able to log in without being asked for a password" | 10:25:04 |
| @elvishjerricco:matrix.org | how do we do that... | 10:25:08 |
| @elvishjerricco:matrix.org | Ok confirmed; empty hash field in shadow allows logging in as root without a password | 10:31:43 |
| @elvishjerricco:matrix.org | Yea, from man 5 shadow: "This field may be empty, in which case no passwords are required to authenticate as the specified login name." | 10:32:25 |
| @elvishjerricco:matrix.org | Though sshd says Failed password for root from 10.0.2.2 port 37318 ssh2. Guess it doesn't allow empty passwords, even with PermitRootLogin yes | 10:34:17 |
| @lvkm:matrix.org | there is a PermitEmptyPasswords option for sshd | 10:34:58 |
| @elvishjerricco:matrix.org | Ah. Though I should really just fix the perms on my authorized_keys :P | 10:35:32 |
| @elvishjerricco:matrix.org | But hey! It worked! | 10:35:42 |
| @elvishjerricco:matrix.org | And I can login over SSH, unlock the disk with systemd-tty-ask-password-agent, and the boot proceeds! | 10:36:41 |
| @elvishjerricco:matrix.org | Ok, but trying to get it to work with an ssh key instead of a password, I get
Apr 13 10:40:30 localhost sshd[214]: Authentication refused: bad ownership or modes for directory /
Apr 13 10:40:30 localhost sshd[214]: Failed publickey for root from 10.0.2.2 port 37366 ssh2: ED25519 SHA256:eyhn9Dbqq1y49O1r80eKdcbk+bKoO6k2PlPoLrA0OCU
| 10:41:40 |
| @elvishjerricco:matrix.org | Adding a chmod 755 / in my preStart worked, but that seems like the wrong place for that :P | 10:43:31 |
| @elvishjerricco:matrix.org | But hey, at only 19M, with full networking and openssh built in, that's not bad | 10:47:55 |
| @janne.hess:helsinki-systems.de | bobvanderlinden: since I remember you working on the rust tool, could you also shut it up a bit? It's a lot of debug messages every time | 12:40:53 |
| @elvishjerricco:matrix.org | This one is probably unnecessary: https://github.com/NixOS/nixpkgs/blob/8b1237f7909681dd7417fe7616c89904d250f124/pkgs/build-support/kernel/make-initrd-ng/src/main.rs#L63
And getting this line to stop warning about files that "The input file is most likely statically linked" would probably be good: https://github.com/NixOS/nixpkgs/blob/8b1237f7909681dd7417fe7616c89904d250f124/pkgs/build-support/kernel/make-initrd-ng/src/main.rs#L70 | 12:47:08 |
| @elvishjerricco:matrix.org | * This one is probably unnecessary: https://github.com/NixOS/nixpkgs/blob/8b1237f7909681dd7417fe7616c89904d250f124/pkgs/build-support/kernel/make-initrd-ng/src/main.rs#L63
And getting this line to stop warning that "The input file is most likely statically linked" would probably be good: https://github.com/NixOS/nixpkgs/blob/8b1237f7909681dd7417fe7616c89904d250f124/pkgs/build-support/kernel/make-initrd-ng/src/main.rs#L70 | 12:47:24 |
 bobvanderlinden | In reply to @janne.hess:helsinki-systems.de
bobvanderlinden: since I remember you working on the rust tool, could you also shut it up a bit? It's a lot of debug messages every time I want to look into doing the elf parsing in the tool itself, instead of calling readelf for every file. Should shut it up and speed things up a bit as well. | 13:07:17 |
