Unable to login to VMware Identity Manager SSH sessions using root user
search cancel

Unable to login to VMware Identity Manager SSH sessions using root user

book

Article ID: 372262

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

  • Attempting to directly login to VMware Identity Manager SSH sessions using root user fails with 'Access Denied' despite using valid password (not expired - active). 
  • Unable to log in ever after resetting the root password from GRUB and clearing any potential account locks for the root user : "pam_tally2 --reset --user root"
  • Login to SSH connection to vIDM using sshuser is successful and then switching over to root account (superuser) using "su -" using the same password is successful. 

Environment

VMware Identity Manager 3.x

Cause

  • Login using root user credentials has been disabled on sshd_config file.



  • This may not usually be the scenario in a vIDM deployed using Aria Suite Lifecycle as SSH access to appliance using root and sshuser are enabled during configuration for the management of the appliance and services from vASL.
  • Note : Root access is disabled by default in a standalone vIDM set up for security reasons. Make sure to disable the account once the purpose is fulfilled, if active access is not required.

Resolution

Enable Root login for SSH access on the sshd_config file as below:

  1. Connect to the VMware Identity Manager console and login using the user sshuser which was created during the deployment of VIDM.
  2. Once you have logged in over the console, Run the command su –, use the same password which was used to login for the sshuser.
  3. Now run the command
    vim /etc/ssh/sshd_config
  4. Now move to the parameter 'PermitRootLogin' and set to 'yes'.
  5. Save the above file and then restart the sshd service using the either command :
    /etc/init.d/sshd restart
    or
    systemctl restart sshd.service

Additional Information

Other pre-checks for root access to  ssh denied:

  • Ensure ssh is enabled and sshd.service is running. 
  • Ensure password is not expired: Visible on the vIDM health diagnostics dashboard or review account status using sshuser login and run chage -l root.
  • Ensure the account is not locked out due to large number of incorrect log-in attempts: Can be reviewed using pam_tally2 --user root and is locks failed log-in attempts are recorded run pam_tally2 --reset --user root to release locks and/or reset incorrect log-in attempt counter. 
Powered by Wolken Software