Wednesday, May 30, 2018

Passwordless Debian Login

I run Debian inside a VirtualBox VM and share my home folder on the host OS, and now I've decided that it's silly to have to enter my password inside the VM all the time. Mainly, I want to auto-login to the console tty, and also convince sudo to let me run commands without entering a password.

I thought this should be as straightforward as googling for a recipe. It turns out the instructions I found on the internet are just wrong and truly awful.

First, to configure auto-login on Debian running systemd the correct way, run systemctl edit getty@tty1 and enter the following:
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin USERNAME %I $TERM
Replace USERNAME with your actual username. Here are the ways that this page got it wrong: on Debian, there is no /usr/bin/agetty; it is found under /sbin/agetty. Also, the dangling I in the ExecStart line should have been %I which is the systemd expansion for the instance name. Baud rate should be omitted.

If something goes wrong, just switch to tty2 with Alt-F2 (or Fn-Optoin-F2 on a Mac) and fix the problem. If you have a touch bar, configure it to always show function keys. Otherwise, rebooting with the Debian installer CD into rescue mode always works.

Now, to convince sudo to let me run commands without a password, run visudo and make sure we swap the user and group specifications with an end result like this:
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# User privilege specification
root ALL=(ALL:ALL) ALL
myuser ALL=(ALL:ALL) NOPASSWD: ALL
The space between NOPASSWD: and ALL is optional, and it works either way. What is tricky is that the statements below overrides the ones above. This is counter-intuitive as an access control list, which typically matches top-down. By default, the group specification appears below the user specification, so the group overrides the user, but that makes no sense. It makes more sense for the individual user setting to override the group one.

I don't have a lot of high hopes for a man page that begins with a quick guide to EBNF.

New (2020/03/19): tell systemd to use sulogin --force when root account is locked. If a service fails to start during init, systemd would fallback into rescue mode by running sulogin, but sulogin would print this message, and systemd would enter an infinite loop.
Cannot open access to console, the root account is locked.
See sulogin(8) man page for more details.

Press Enter to continue.
Unfortunately this is very common. Either a new kernel does not have the vboxsf module compiled for it (since the VirtualBox guest additions modules are not manage by DKMS), or a new VirtualBox version changed the protocol so the existing vboxsf module couldn't talk to the host.

The solution is to convince systemd to use sulogin --force. Run systemctl edit rescue.service and enter the following:
[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1
This should automatically drop down to root if something goes wrong.