Ubuntu
openssh package

please start ssh for single user mode

Bug #68274 reported by Andreas Jellinghaus
6
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

of course with a nologin file, so only root can login.
this would be _VERY_ helpful for so called root server installations,
where ssh is your only option to reach the server. often you also have
a way to reset the server, but no way to see what happends on the console.

if grub for some reason boots the second entry with "single" parameter,
then you have a ping'able machine, but no way to access it. a running
ssh, limited to root only, would be a huge advantage in these situations.

Revision history for this message
Colin Watson (cjwatson) wrote :

I think we may get this with the initscript reorganisations in feisty.

Changed in openssh:
importance: Undecided → Wishlist
status: Unconfirmed → Confirmed
Revision history for this message
Loye Young (loyeyoung) wrote :

This one should be closed as invalid.

The idea behind the single parameter is to prevent just the sort of thing requested here by requiring the machine to run in single-user mode.

Better practice in the situation described would be to set a sufficiently complex root password for the server as part of setup. The use of sudo and nologin is to prevent the casual user from logging in as root inadvertently and improvidently. In the situation described, that's not an issue.

Revision history for this message
Andreas Jellinghaus (tolonuga) wrote :

I don't see how your reply has anything to do with the bug report.

Servers reachable via network only have a huge problem, if they are booted into "single" user mode.
Without any console or noone near a console such a server is dead and the only way to "fix" the problem
would be a hard power cycle. but there is an easy fix: start ssh daemon.

strength of root passwords, sudo and all that are not part of the problem. my personal preference is using ssh
rsa keys with smart cards only, yours might be different. the "with nologin file" is a suggestion from my side,
su that the result is a "single user" mode - only root can login. if you want a different security policy, that is
possible, but outside the scope of this bug report.

the runlevel assignment seems to be hard coded (postinst always runs update-rc.d with fixed parameters), so
this is not configureable and the default bites a number of uses with a valid use case. thus I suggest a change.

Regards, Andreas

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Hmm, I'd be very surprised to boot a machine into "single" user mode and find that I've opened myself up to remote ssh login's, giving potentially other people (not me in front of the console) remote access to the system. Single user mode is generally intended for infrequent maintenance, and traditionally by the administrator in front of the console.

I have two suggestions...

1) Look into some of the remote console hardware solutions or hypervisors for virtual machines.

2) If remote ssh access is truly required in single user mode, I'd say at the very least you'd want to specify that with an *additional* kernel parameter -> "single ssh". I really don't think you'd want to open up every user who thinks he's in single-user mode to ssh access from outside.

Revision history for this message
Loye Young (loyeyoung) wrote :

@Andreas,

As I said above, the single user mode is expressly designed to prohibit ssh access, and for good reason. Dustin's intuitive answer is right on target.

However, if you want to have ssh access in single user mode for your own installation, simply execute this command and reboot:

$ sudo echo /etc/init.d/ssh >> /etc/rc.local

This is not a bug, and it should be closed.

Happy Trails,

Loye Young
Isaac & Young Computer Company
Laredo, Texas
http://www.iycc.biz

Revision history for this message
Loye Young (loyeyoung) wrote :

Requested is against security best practices. A local sys admin who WANTS this change has a simple work around available.

Changed in openssh:
status: Confirmed → Invalid
Revision history for this message
Colin Watson (cjwatson) wrote :

Please do not reject bugs unless you are a developer.

Changed in openssh:
status: Invalid → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.