locked out by faulty sshd config -- an idea

[ruelfra]

As a fresh new member, I first would like to present my best regards to all.

Second: here is my problem and one idea to solve it that I kindly submit to bubba-linux-experts.

- My first (inferred) mistake was to put a comma in the "allowed users" list in /etc/ssh/sshd_config.
- My second mistake was that, although I have automatic backup on a nice "bubba-storage" unit, I forgot to save system files(!)
- Consequence: no user is allowed anymore to open a session on bubba2 via sshd. The situation is the same as closing one's home door leaving the keys inside! To make it worse, I am really afraid of loose my unsaved (heavy) system configurations!

After reading old posts on this forum and inspecting the contents of the "bubba.img" on the bubba2 stick installer, I wonder whether the following has a chance to work without destroying my system:

1) loop-mount on /mnt the "bubba.img" read from the usb-stick
2) replace /mnt/bin/bubbainstall.sh with the following:

#!/bin/sh
mount -t ext3 /dev/hda1 /mnt
cd /mnt/etc/ssh
mv sshd_config faulted-sshd_config
sed /^AllowUsers/d faulted-sshd_config > sshd_config
reboot

3) stop bubba2 and restart it with the install-usb-key in.

I am aware of the possibility to alter DO_INSTALL=0 in the installer file bubba.cfg in order to be left with a simple "rescue system". However, I cannot figure out what it means practically since interactivity is not existent as far as I can understand.
I am also aware of the possibility to use a serial connection (I have in hand a linux-recognised usb-serial adapter) but I wonder how the link can be established without any possibility to ad hoc configure the server itself.
So, this was just to explain why I am trying to divert the installer from its intended use!

Many thanks in advance for any advice regarding my proposal, and any other proposal if mine results to be over-simplistic.

[mcg]

My understanding is that the rescue system will allow you to SSH in, because it uses the default sshd_config on the stick. From there you can go over to your disk install and make the corrections you need.

[ruelfra]

Thanks for the advice. I actually checked my first idea going through the modification of bubba.img (and its md5 sum) at least to be convinced that I would not be pushed into a reinstall! It did not work because of a confusion in the partition name (/dev/sda1 instead of /dev/hda1 as referred in the bubbainstall.sh routine on the usb-stick). So I retried after canceling the "reboot" instruction and found with great pleasure that I had indeed access to my server's "wan interface" through ssh under root with "excito" password as found in the documentation. This rescue mechanism is really essential for "inattentive users" as my self. Thanks to the developpers.

[psykopatpastorn]

I have my doubts whether the rescue stick uses its own sshd_config. Can someone from Excito comment on this?

I bought an installation usb stick from Excito to use for rescue. I edited bubba.cfg to not install, partition nor format anything. I then followed the instructions for rescue (attach wan to dhcp-served lan, stick in USB, then boot). Once bubba was on the lan, and I tried to ssh (to user root), but it was still using the sshd_config on the harddrive (where password login is disabled). So I cannot login using root/excito.

Perhaps bubba is not booting properly from the USB based disk, and instead using the system on the harddisk. This would explain why sshd_config won't allow password logins. But if this is so, why on earth is the usb stick not booting? After all, it's the official one from Excito.

If I had torqs screwdrivers I'd just get the harddisk out and mount on another machine to do the necessary changes (the problem is that I mistakenly removed my ~/.ssh/authorized_keys, which is a bad thing when you're not allowing password based logins). I just need to fix either that file or sshd_config to get back in.

[johannes]

Yes, the USB rescue stick does have interactivity, it runs it's own Linux system (without touching the disk) and has an ssh server running. The unit takes DHCP IP and you can ssh to it, and then mount the disk and perform the changes you need.

Just don't forget to change the isntaller settings (config file on the USB stick) so it doesn't re-format your disk.

Furthermore, if you feel that the USB stick doesn't boot properly, we have had reports of such behaviour. Just try again, worst case a few times, it will work eventually. Just don't forget to keep the button pressed while booting.