Locked out of VM, how to copy paste password in Java VNC console?

[lpallard]

Hello,

I started hardening my centos servers (running as KVM, not containers) by disabling SSH access for root, and creating a dummy user for SSH only which will be the only user that will be able to SSH. I did not create a home folder for this user thinking it would be more "secure". That was a mistake.

Now I cannot login through SSH with this user because SSH is issuing an error like

Could not chdir to home directory /home/sshuser: No such file or directory

Of course I cannot SSH as root since it is deactivated. The only way to login to the VM is from the Proxmox Java VNC console, but the problem is that my passwords are 64 characters long, alphanumeric with special characters. I tried entering the password manually (good luck) but I failed at each attempts, either making a mistake, or the password prompt timing out and returning to the "login:" prompt before I was done entering the password...

Basically, having a copy paste function in the Java VNC console would save me... What does Proxmox offers to mitigate this disaster?

 

[LnxBil]

Booting via kernel commandline init=/bin/bash works? Then you can fix your problem.

Otherwise, you can use the qemu monitor to send commands to the vm. You have to create a script to convert each key stroke in the correct command, but it should work flawlessly.

 

[LnxBil]

a few side notes:

• Why do you have a root-password at all? Disable it and only allow key-based login
• If you do not want to disable the password, you can create a serial console for the VM. You can login via socket over a normal terminal and then copy&paste is working as expected.
• Did you "harden" your grub too? If not, you can always login with the init=/bin/bash trick to override your init system.

 

[lpallard]

Hello LnxBil,

sorry for the late reply, I got busy and couldnt try to troubleshoot this tiny VM not being used too often (its a PXE boot server so...)

I followed the instructions on RedHat's website to reset root's password with the "init=/bin/bash" trick as you suggested, it worked flawlessly and within minutes I was back to normal!!

Huge thanks for the pointer!

To answer your question, I have never setup key based login before, or to be honest, I tried but since I rebuild by desktop rather often with different OS'es, the keys got misplaced. Right now I am using password (lots of chars, all characters randomly mixed) stored in an encrypted vault.

Would key based login be really more secure than disallowing root SSH, and forcing SSH login via a dedicated user and then SU'ing to gain root's perms?

And also, I did not harden grub.. Should I? Nobody has access physically to the VM, and even if someone could, I would have exponentially worst problems to think about...

 

[LnxBil]

Hi,

Would key based login be really more secure than disallowing root SSH, and forcing SSH login via a dedicated user and then SU'ing to gain root's perms?

These are two different things. You can do the same but use a key. Every password-typing attack (yes, those exist) is useless if you use a key. Depending on you local system, you need encryption there as well to secure your key. A key is also very very good if you have automation. You will not type your password every time.

And also, I did not harden grub.. Should I? Nobody has access physically to the VM, and even if someone could, I would have exponentially worst problems to think about...

You, do not need to in a VM environment, but good you learned how easy it is to reset your password if you have access to the server.