結論としては、初期パスワードが「vagrant」じゃあない何かだった。ということだったのですが。その初期パスワードもわからず、そうなってしまった原因も分からず。同じような記事を書いている人もいなさそうなので、構築した環境に問題があるのかもしれない。sudo suでrootになれるので大きな問題ではないのですが一応メモ書き程度に残しておく。

環境

  • vagrant : 1.8.6
  • os : centos7
  • kernel : 3.10.0-327.36.3

構築

minimalでcentos7いれて、デフォルトのまま。何もいじってない状態。

> vagrant init --minimal centos/7
> vagrant up

問題

suに失敗

rootの初期パスワードは”vagrant”のはずなのに失敗する。

$ su -
Password:
su: Authentication failure
$

ワークアラウンド

sudoコマンドでsuを実行できるようにデフォルトで設定されている 1のでそちらで対応。

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

調査

/etc/sudoers配下の設定を確認

vagrantグループに属するユーザーは、すべてのホストですべてのユーザーの権限ですべてのコマンドをパスワード無しで実行できるようになっている。

$ sudo cat /etc/sudoers.d/vagrant
%vagrant ALL=(ALL) NOPASSWD: ALL

なので、sudo su -は問題なく実行できる。

$ sudo su -
Last login: Thu Dec  1 22:36:21 EST 2016 on pts/0
#

他に何か、悪さをしている設定がないか調べる。

/etc/pam.dの確認

問題なし。

# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so
#

/etc/login.defs確認

こちらも問題なし。

# cat  /etc/login.defs | grep -v "^#\|^$"
MAIL_DIR        /var/spool/mail
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7
UID_MIN                  1000
UID_MAX                 60000
SYS_UID_MIN               201
SYS_UID_MAX               999
GID_MIN                  1000
GID_MAX                 60000
SYS_GID_MIN               201
SYS_GID_MAX               999
CREATE_HOME     yes
UMASK           077
USERGROUPS_ENAB yes
ENCRYPT_METHOD MD5
MD5_CRYPT_ENAB yes
#

/etc/groupの確認

問題なし。

# cat /etc/group | grep wheel
wheel:x:10:
#

/bin/suの確認

問題なし。

# ls -l /bin/su
-rwsr-xr-x. 1 root root 32072 Mar 31  2016 /bin/su

結論

根本原因はわからず。rootになって、パスワードを”vagrant”にしてみるとrootになれた。ということで、初期パスワードが”vagrant”じゃない何かになっているから。なのか。初期パスワードと同じはずなんだけど。

# passwd
Changing password for user root.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
#
# exit
logout
$ su -
Password:
Last login: Thu Dec  1 22:34:06 EST 2016 on pts/0
# exit
logout
$

公式ページを確認

初期パスワード、vagrantじゃん。。。

DEFAULT USER SETTINGS

Just about every aspect of Vagrant can be modified. However, Vagrant does expect some defaults which will cause your base box to “just work” out of the box. You should create these as defaults if you intend to publicly distribute your box.

If you are creating a base box for private use, you should try not to follow these, as they open up your base box to security risks (known users, passwords, private keys, etc.).

“vagrant” User

By default, Vagrant expects a “vagrant” user to SSH into the machine as. This user should be setup with the insecure keypair that Vagrant uses as a default to attempt to SSH. Also, even though Vagrant uses key-based authentication by default, it is a general convention to set the password for the “vagrant” user to “vagrant”. This lets people login as that user manually if they need to.

To configure SSH access with the insecure keypair, place the public key into the ~/.ssh/authorized_keys file for the “vagrant” user. Note that OpenSSH is very picky about file permissions. Therefore, make sure that ~/.ssh has 0700 permissions and the authorized keys file has 0600 permissions.

When Vagrant boots a box and detects the insecure keypair, it will automatically replace it with a randomly generated keypair for additional security while the box is running.

Root Password: “vagrant”

Vagrant does not actually use or expect any root password. However, having a generally well known root password makes it easier for the general public to modify the machine if needed.

Publicly available base boxes usually use a root password of “vagrant” to keep things easy.

Password-less Sudo

This is important!. Many aspects of Vagrant expect the default SSH user to have passwordless sudo configured. This lets Vagrant configure networks, mount synced folders, install software, and more.

To begin, some minimal installations of operating systems do not even include sudo by default. Verify that you install sudo in some way.

After installing sudo, configure it (usually using visudo) to allow passwordless sudo for the “vagrant” user. This can be done with the following line at the end of the configuration file:

vagrant ALL=(ALL) NOPASSWD: ALL
Additionally, Vagrant does not use a pty or tty by default when connected via SSH. You will need to make sure there is no line that has requiretty in it. Remove that if it exists. This allows sudo to work properly without a tty. Note that you can configure Vagrant to request a pty, which lets you keep this configuration. But Vagrant by default does not do this.

Notes:

  1. /etc/sudoersで、sudoers.d配下の設定ファイルをインクルードするようになっている。コメントアウトじゃないらしい。紛らわしい。