Allow root ssh login

[ikitayama]

No description provided.

[marc-hb]

Sorry but I see 2 important issues with this:

• I suspect this completely overwrites the existing config file. It should at least append to it
• I just checked and port 10022 is currently NOT bound to "localhost", it's open to the entire network instead. This should be fixed anyway but combining it with this change would really bring the insecurity too far.

By default, run_qemu.sh tries hard to install all the ssh keys it can find. Can you please try to get ssh keys working instead? Once it's working it's much faster and more convenient than a password.

If your build system and QEMU host is different from your workstation, simply copy your public key from your workstation to your build system, then create an empty file on your build system with the same name as your private key. This is enough to install the public key in the QEMU guest.

ssh's ProxyJump can also be useful.

[ikitayama]

@marc-hb I'll drop this PR.

[ikitayama]

Sorry but I see 2 important issues with this:

• I suspect this completely overwrites the existing config file. It should at least append to it
• I just checked and port 10022 is currently NOT bound to "localhost", it's open to the entire network instead. This should be fixed anyway but combining it with this change would really bring the insecurity too far.

By default, run_qemu.sh tries hard to install all the ssh keys it can find. Can you please try to get ssh keys working instead? Once it's working it's much faster and more convenient than a password.

If your build system and QEMU host is different from your workstation, simply copy your public key from your workstation to your build system, then create an empty file on your build system with the same name as your private key. This is enough to install the public key in the QEMU guest.

@marc-hb I just cofirmed that I could login as root (via ssh rq) on to the VM backed by the root.img created by run_qemu.sh.

I am wondering though, I don't see the prompt on the console

[...]
[   27.159274][  T392] systemd-journald[392]: Received client request to flush runtime journal.
[   27.936868][  T433] calling  rfkill_init+0x0/0x128 [rfkill] @ 433
[   27.938977][  T433] initcall rfkill_init+0x0/0x128 [rfkill] returned 0 after 1896 usecs
[   27.965720][  T433] calling  cfg80211_init+0x0/0xdc [cfg80211] @ 433
[   27.971571][  T433] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   28.021656][  T433] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   28.024282][  T433] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[   28.026636][  T319] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[   28.027107][  T319] cfg80211: failed to load regulatory.db
[   28.028504][  T433] initcall cfg80211_init+0x0/0xdc [cfg80211] returned 0 after 61939 usecs

Is this an intended behaivour by the current shell implementation of run_qemu.sh?

This is how I invoke the script:

$ distro=debian qemu=~/projects/qemu/build/qemu-system-aarch64 ../run_qemu/run_qemu.sh --no-cxl  --no-kvm --no-hmat -p 1S -r none

I'm on origin/main branch and run_qemu.sh is not modified.

ssh's ProxyJump can also be useful.

[marc-hb]

I am wondering though, I don't see the prompt on the console

In the window where you run run_qemu.sh, the prompt is frequently overwritten by kernel logs. Press "enter" multiple times and it should re-appear (unless kernel logs are verbose and overwrite it again)

I think most people use ssh rq in a separate window.

Is that what you were referring to?

[ikitayama]

I am wondering though, I don't see the prompt on the console

In the window where you run run_qemu.sh, the prompt is frequently overwritten by kernel logs. Press "enter" multiple times and it should re-appear (unless kernel logs are verbose and overwrite it again)

didn't help for me.

I think most people use ssh rq in a separate window.

Is that what you were referring to?

Yes. I am fine with it.

[marc-hb]

didn't help for me.

You seem to have problems with the login package, that would explain why:

• cp: cannot stat 'login': No such file or directory #199
• run_qemu.sh: add autologin with shadow login (Ubuntu) #171

Please try this (from ssh)

tty
ps faux | grep -C 5 'tty|login'
systemctl --failed
systemctl | grep tty
systemctl status <services you found in the previous command>

[ikitayama]

root@localhost:~# tty
/dev/pts/0
root@localhost:~# ps faux | grep -C 5 'tty|login'
root         482  1.9  0.3  11464  7412 ?        Ss   23:13   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root         487  2.5  0.5  20688 10848 ?        Ss   23:13   0:00  \_ sshd-session: root [priv]
root         499  4.1  0.3  20736  6808 ?        S    23:13   0:01      \_ sshd-session: root@pts/0
root         502  9.4  0.2   5936  5104 pts/0    Ss   23:13   0:02          \_ -bash
root         622  280  0.1   6112  3096 pts/0    R+   23:13   0:00              \_ ps faux
root         623 50.0  0.0   3240  1548 pts/0    S+   23:13   0:00              \_ grep --color=auto -C 5 tty|login
root         485  1.5  0.1   8444  2896 ?        Ss   23:13   0:00 login -- root
root         581  9.9  0.2   5912  5108 tty6     Ss+  23:13   0:02  \_ -bash
root@localhost:~# systemctl | grep tty
● dev-ttyAMA0.device                                                                                                     loaded activating tentative start /dev/ttyAMA0
● dev-ttyp0.device                                                                                                       loaded activating tentative       /dev/ttyp0
● dev-ttyp1.device                                                                                                       loaded activating tentative       /dev/ttyp1
● dev-ttyp2.device                                                                                                       loaded activating tentative       /dev/ttyp2
● dev-ttyp3.device                                                                                                       loaded activating tentative       /dev/ttyp3
● dev-ttyp4.device                                                                                                       loaded activating tentative       /dev/ttyp4
● dev-ttyp5.device                                                                                                       loaded activating tentative       /dev/ttyp5
● dev-ttyp6.device                                                                                                       loaded activating tentative       /dev/ttyp6
● dev-ttyp7.device                                                                                                       loaded activating tentative       /dev/ttyp7
● dev-ttyp8.device                                                                                                       loaded activating tentative       /dev/ttyp8
● dev-ttyp9.device                                                                                                       loaded activating tentative       /dev/ttyp9
● dev-ttypa.device                                                                                                       loaded activating tentative       /dev/ttypa
● dev-ttypb.device                                                                                                       loaded activating tentative       /dev/ttypb
● dev-ttypc.device                                                                                                       loaded activating tentative       /dev/ttypc
● dev-ttypd.device                                                                                                       loaded activating tentative       /dev/ttypd
● dev-ttype.device                                                                                                       loaded activating tentative       /dev/ttype
● dev-ttypf.device                                                                                                       loaded activating tentative       /dev/ttypf
● sys-devices-platform-ARMH0011:00-ARMH0011:00:0-ARMH0011:00:0.0-tty-ttyAMA0.device                                      loaded activating tentative       /sys/devices/platform/ARMH0011:00/ARMH0011:00:0/ARMH0011:00:0.0/tty/ttyAMA0
● sys-devices-virtual-tty-ttyp0.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttyp0
● sys-devices-virtual-tty-ttyp1.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttyp1
● sys-devices-virtual-tty-ttyp2.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttyp2
● sys-devices-virtual-tty-ttyp3.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttyp3
● sys-devices-virtual-tty-ttyp4.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttyp4
● sys-devices-virtual-tty-ttyp5.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttyp5
● sys-devices-virtual-tty-ttyp6.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttyp6
● sys-devices-virtual-tty-ttyp7.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttyp7
● sys-devices-virtual-tty-ttyp8.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttyp8
● sys-devices-virtual-tty-ttyp9.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttyp9
● sys-devices-virtual-tty-ttypa.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttypa
● sys-devices-virtual-tty-ttypb.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttypb
● sys-devices-virtual-tty-ttypc.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttypc
● sys-devices-virtual-tty-ttypd.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttypd
● sys-devices-virtual-tty-ttype.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttype
● sys-devices-virtual-tty-ttypf.device                                                                                   loaded activating tentative       /sys/devices/virtual/tty/ttypf
  getty-static.service                                                                                                   loaded active     exited          getty on tty2-tty6 if dbus and logind are not available
  [email protected]                                                                                                     loaded active     running         Getty on tty1
  [email protected]                                                                                                     loaded active     running         Getty on tty2
  [email protected]                                                                                                     loaded active     running         Getty on tty3
  [email protected]                                                                                                     loaded active     running         Getty on tty4
  [email protected]                                                                                                     loaded active     running         Getty on tty5
  [email protected]                                                                                                     loaded active     running         Getty on tty6
  [email protected]                                                                                           loaded inactive   dead      start Serial Getty on ttyAMA0
  system-getty.slice                                                                                                     loaded active     active          Slice /system/getty
  system-serial\x2dgetty.slice                                                                                           loaded active     active          Slice /system/serial-getty
  getty.target                                                                                                           loaded inactive   dead      start Login Prompts

[ikitayama]

root@localhost:~# systemctl status [email protected]
○ [email protected] - Serial Getty on ttyAMA0
     Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled-runtime; preset: enabled)
     Active: inactive (dead)
       Docs: man:agetty(8)
             man:systemd-getty-generator(8)
             https://0pointer.de/blog/projects/serial-console.html

May 15 23:14:23 localhost systemd[1]: Dependency failed for [email protected] - Serial Getty on ttyAMA0.
May 15 23:14:23 localhost systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.

[marc-hb]

Thanks! and now these:

dpkg -s login

systemctl list-dependencies [email protected]

systemctl status sys-devices-platform-ARMH0011:00-ARMH0011:00:0-ARMH0011:00:0.0-tty-ttyAMA0.device 

[ikitayama]

root@localhost:~# dpkg -s login
Package: login
Protected: yes
Status: install ok installed
Priority: required
Section: admin
Installed-Size: 416
Maintainer: Chris Hofstaedtler <[email protected]>
Architecture: arm64
Multi-Arch: foreign
Source: util-linux (2.41-4)
Version: 1:4.16.0-2+really2.41-4
Depends: libpam-modules, libpam-runtime, libaudit1 (>= 1:2.2.1), libc6 (>= 2.38), libcrypt1 (>= 1:4.1.0), libpam0g (>= 0.99.7.1)
Pre-Depends: login.defs (>= 1:4.16.0-1~)
Conffiles:
 /etc/pam.d/login b6129a3c1af42a9977b29f490ecd057e
Description: system login tools
 This package provides support for console-based logins and for
 changing effective user or group IDs, including:
  * login, the program that invokes a user shell on a virtual terminal,
  * nologin, a dummy shell for disabled user accounts,
  * newgrp, a program to change the effective group IDs.
Homepage: https://github.com/util-linux/util-linux

[ikitayama]

root@localhost:~# systemctl list-dependencies [email protected]
[email protected]
● ├─dev-ttyAMA0.device
● ├─system-serial\x2dgetty.slice
● └─sysinit.target
●   ├─dev-hugepages.mount
●   ├─dev-mqueue.mount
●   ├─kmod-static-nodes.service
●   ├─ldconfig.service
○   ├─proc-sys-fs-binfmt_misc.automount
●   ├─sys-fs-fuse-connections.mount
●   ├─sys-kernel-config.mount
●   ├─sys-kernel-debug.mount
○   ├─sys-kernel-tracing.mount
●   ├─systemd-ask-password-console.path
○   ├─systemd-binfmt.service
○   ├─systemd-boot-random-seed.service
●   ├─systemd-boot-update.service
○   ├─systemd-confext.service
●   ├─systemd-firstboot.service
○   ├─systemd-hibernate-clear.service
●   ├─systemd-journal-catalog-update.service
●   ├─systemd-journal-flush.service
●   ├─systemd-journald.service
●   ├─systemd-machine-id-commit.service
●   ├─systemd-modules-load.service
●   ├─systemd-network-generator.service
○   ├─systemd-pcrlock-file-system.service
○   ├─systemd-pcrlock-firmware-code.service
○   ├─systemd-pcrlock-firmware-config.service
○   ├─systemd-pcrlock-machine-id.service
○   ├─systemd-pcrlock-make-policy.service
○   ├─systemd-pcrlock-secureboot-authority.service
○   ├─systemd-pcrlock-secureboot-policy.service
○   ├─systemd-pcrmachine.service
○   ├─systemd-pcrphase-sysinit.service
○   ├─systemd-pcrphase.service
○   ├─systemd-pstore.service
●   ├─systemd-random-seed.service
●   ├─systemd-sysctl.service
○   ├─systemd-sysext.service
●   ├─systemd-sysusers.service
●   ├─systemd-tmpfiles-setup-dev-early.service
●   ├─systemd-tmpfiles-setup-dev.service
●   ├─systemd-tmpfiles-setup.service
○   ├─systemd-tpm2-setup-early.service
○   ├─systemd-tpm2-setup.service
●   ├─systemd-update-done.service
●   ├─local-fs.target
●   │ ├─run-lock.mount
●   │ ├─systemd-remount-fs.service
●   │ └─tmp.mount
●   └─swap.target

[ikitayama]

root@localhost:~# systemctl status sys-devices-platform-ARMH0011:00-ARMH0011:00:0-ARMH0011:00:0.0-tty-ttyAMA0.device
● sys-devices-platform-ARMH0011:00-ARMH0011:00:0-ARMH0011:00:0.0-tty-ttyAMA0.device - /sys/devices/platform/ARMH0011:00/ARMH0011:00:0/ARMH0011:00:0.0/tty/ttyAMA0
     Loaded: loaded
     Active: activating (tentative) since Fri 2025-05-16 07:42:01 JST; 1min 59s ago
 Invocation: dae6542371184ed3bd1e60937b646e7e

[marc-hb]

I think you have a "hardware" problem with /dev/ttyAMA0; simple as that.

Maybe journalctl | grep -C 3 tty has useful information.

Maybe @jic23 can help?

EDIT: great context https://0pointer.de/blog/projects/serial-console.html

[ikitayama]

@marc-hb I wasn't setting correctly console=ttyAMA0 (via the run_qemu.sh's console shell variable) and not including the udev package when building a Debian image. Now I see the prompt on the console as well.

[marc-hb]

Now I see the prompt on the console as well.

Awesome!

and not including the udev package when building a Debian image.

The file mkosi.debian.default.tmpl was utterly out of date, I honestly don't know how you got anything to work! It was not just udev missing. I just pushed a major fix in commit 2aabce9, please update and try again. This includes udev and a lot more.

Did you have local changes to mkosi.debian.default.tmpl that you did not share yet?

I wasn't setting correctly console=ttyAMA0 (via the run_qemu.sh's console shell variable)

Do you mean changing the run_qemu.sh script itself? This does not look configurable yet.

The main purpose of console is to direct kernel logs. Even if you leave it to console=ttyS0, you should still get a login prompt, could you please test that?

[ikitayama]

and not including the udev package when building a Debian image.

The file mkosi.debian.default.tmpl was utterly out of date, I honestly don't know how you got anything to work! It was not just udev missing. I just pushed a major fix in commit 2aabce9, please update and try again. This includes udev and a lot more.

Did you have local changes to mkosi.debian.default.tmpl that you did not share yet?

Possible, I will check after pulling origin/master.

I wasn't setting correctly console=ttyAMA0 (via the run_qemu.sh's console shell variable)

Do you mean changing the run_qemu.sh script itself? This does not look configurable yet.

At the start of the run_qemu.sh script, I did:

mkosi_opts=("-i" "-f")
#console="ttyS0"
console="ttyAMA0"
accel="kvm"

but ...

The main purpose of console is to direct kernel logs. Even if you leave it to console=ttyS0, you should still get a login prompt, could you please test that?

You were correct.

root@localhost:~# dmesg|grep ttyS
[    0.000000] [      T0] Kernel command line: selinux=0 audit=0 console=tty0 console=ttyS0 root=PARTUUID=b0cd6dba-2917-4338-a354-8052b5072c76 ignore_loglevel rw initcall_debug log_buf_len=20M memory_hotplug.memmap_on_memory=force cxl_acpi.dyndbg=+fplm cxl_pci.dyndbg=+fplm cxl_core.dyndbg=+fplm cxl_mem.dyndbg=+fplm cxl_pmem.dyndbg=+fplm cxl_port.dyndbg=+fplm cxl_region.dyndbg=+fplm cxl_test.dyndbg=+fplm cxl_mock.dyndbg=+fplm cxl_mock_mem.dyndbg=+fplm systemd.set_credential=agetty.autologin:root systemd.set_credential=login.noauth:yes initrd=initrd

I will compare my local mkosi.debian file against origin/main. I think at least jq was missing, which was critical in ndctl commands to work.

[marc-hb]

I will compare my local mkosi.debian file against origin/main.

Thank you!

I think at least jq was missing, which was critical in ndctl commands to work.

Please submit changes to the debian config files; these are very quick to review and merge.