I had a fire drill: my SSH host key certificate expired, predictably enough, and I wanted to see if
I could get in without simply answering yes at the unknown-host prompt. The answer was no, but now it’s
yes. What changed?
# systemctl enable --now getty@ttyS0.service
Weblish, and the Lish SSH gateways, use the system’s serial console to provide their service. If nothing is
‘listening’ on the console, then having access to the console is meaningless. All I had to do was actually
turn on the getty process for that serial console. Everything worked for me out of the box, without needing
me to specify baud/parity/stop bits anywhere.
The ‘problem’ with using Glish instead was that it doesn’t paste; it just prints ^[. on the console when
trying to paste. There is no way that I’m hand-copying 500 bytes of Base64 text into the system, except in a
true and dire emergency. Hence, I accepted the host key, updated the system, and deleted the host keys
later.
Reminder: test the serial console/recovery path, before it is needed.
An additional cautionary tale: our EC2 instances at work have serial consoles running, but we don’t have user passwords configured, so they still cannot be logged into. Fortunately, that problem was curable via reboot, and I didn’t have to restore an EBS backup.
No comments:
Post a Comment