Using custom installer image and non-root user no longer works #614
Description
Prerequisites
- I have updated to the latest version using
nix run --refresh github:nix-community/nixos-anywhere - I have reproduced the issue with the
--debugflag - I have searched existing issues to make sure this isn't a duplicate
Bug Description
Before #573 it was possible to use a custom installer image with a different user. This was well supported with nixos-anywhere user@ip. It should not be necessary to manually specify the no-op kexec phase due to 197343e.
Steps to Reproduce
- Custom installer image like:
packages.installer = inputs.nixos-generators.nixosGenerate {
inherit system;
format = "install-iso";
modules = [
{
users.users.nixos = {
password = "nixos";
initialHashedPassword = nixpkgs.lib.mkForce null;
};
}
];
};nixos-anywhere user@ip --phases diskoornixos-anywhere user@ip --phases install- See the failed login attempts for the root user on the target machine
Debug Logs
+ shift
+ [[ 8 -gt 0 ]]
+ case "$1" in
+ [[ 8 -lt 3 ]]
+ case "$2" in
+ hardwareConfigBackend=nixos-generate-config
+ hardwareConfigPath=./hosts/serafina/hardware-configuration.nix
+ shift
+ shift
+ shift
+ [[ 5 -gt 0 ]]
+ case "$1" in
+ diskEncryptionKeys["$2"]=/tmp/tmp.hXlAiS0fAu
+ shift
+ shift
+ shift
+ [[ 2 -gt 0 ]]
+ case "$1" in
+ phases[kexec]=0
+ phases[disko]=0
+ phases[install]=0
+ phases[reboot]=0
+ IFS=,
+ read -r -a phaseList
+ for phase in "${phaseList[@]}"
+ [[ 0 == unset ]]
+ phases[$phase]=1
+ shift
+ shift
+ [[ 0 -gt 0 ]]
+ [[ '' != '' ]]
+ diskoMode=disko
+ diskoAttr=diskoScript
+ [[ y == n ]]
+ [[ y == y ]]
+ nixOptions+=("-L")
+ [[ y == y ]]
+ nixCopyOptions+=("--substitute-on-destination")
+ [[ n == n ]]
+ [[ -z nixos@192.168.0.170 ]]
+ [[ auto == local ]]
+ [[ -n .#serafina ]]
+ [[ .#serafina =~ ^(.*)#([^#"]*)$ ]]
+ flake=.
+ flakeAttr=serafina
+ [[ -z serafina ]]
+ [[ serafina != nixosConfigurations.* ]]
+ flakeAttr='nixosConfigurations."serafina".config'
+ [[ n == y ]]
+ [[ auto == auto ]]
+ checkBuildLocally
+ local system extraPlatforms machineSystem
++ nix --extra-experimental-features 'nix-command flakes' config show system
+ system=x86_64-linux
++ nix --extra-experimental-features 'nix-command flakes' config show extra-platforms
+ extraPlatforms=aarch64-linux
+ [[ 0 -gt 0 ]]
+ [[ -n '' ]]
++ nix --extra-experimental-features 'nix-command flakes' eval --raw '.#nixosConfigurations."serafina".config.pkgs.system'
++ echo unknown
+ machineSystem=unknown
+ [[ unknown == unknown ]]
+ buildOn=auto
+ return
+ [[ -n . ]]
+ [[ auto == local ]]
+ [[ -n '' ]]
++ ssh -o IdentitiesOnly=yes -i /tmp/tmp.gQTl8HnoO3/nixos-anywhere -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -G nixos@192.168.0.170
Warning: Identity file /tmp/tmp.gQTl8HnoO3/nixos-anywhere not accessible: No such file or directory.
+ sshSettings=$'host 192.168.0.170\nuser nixos\nhostname 192.168.0.170\nport 22\naddressfamily any\nbatchmode no\ncanonicalizefallbacklocal yes\ncanonicalizehostname false\ncheckhostip no\ncompression no\ncontrolmaster false\nenablesshkeysign no\nclearallforwardings no\nexitonforwardfailure no\nfingerprinthash SHA256\nforwardx11 no\nforwardx11trusted no\ngatewayports no\nhashknownhosts no\nhostbasedauthentication no\nidentitiesonly yes\nkbdinteractiveauthentication yes\nnohostauthenticationforlocalhost no\npasswordauthentication yes\npermitlocalcommand no\nproxyusefdpass no\npubkeyauthentication true\nrequesttty auto\nsessiontype default\nstdinnull no\nforkafterauthentication no\nstreamlocalbindunlink no\nstricthostkeychecking false\ntcpkeepalive yes\ntunnel false\nverifyhostkeydns false\nvisualhostkey no\nupdatehostkeys false\nenableescapecommandline no\nwarnweakcrypto yes\ncanonicalizemaxdots 1\nconnectionattempts 1\nforwardx11timeout 1200\nnumberofpasswordprompts 3\nserveralivecountmax 3\nserveraliveinterval 120\nrequiredrsasize 1024\nobscurekeystroketiming yes\nciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr\nhostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\nhostbasedacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\nkexalgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\ncasignaturealgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\nloglevel INFO\nmacs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\nsecuritykeyprovider internal\npubkeyacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\nxauthlocation /usr/X11R6/bin/xauth\nidentityfile ~/.ssh/id_rsa\nidentityfile ~/.ssh/id_ecdsa\nidentityfile ~/.ssh/id_ecdsa_sk\nidentityfile ~/.ssh/id_ed25519\nidentityfile ~/.ssh/id_ed25519_sk\ncanonicaldomains none\nglobalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2\nuserknownhostsfile /dev/null\nlogverbose none\nchanneltimeout none\npermitremoteopen any\naddkeystoagent false\nforwardagent no\nconnecttimeout none\ntunneldevice any:any\ncanonicalizePermittedcnames none\ncontrolpersist no\nescapechar ~\nipqos ef cs0\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER'
++ awk '/^user / { print $2 }'
++ echo $'host 192.168.0.170\nuser nixos\nhostname 192.168.0.170\nport 22\naddressfamily any\nbatchmode no\ncanonicalizefallbacklocal yes\ncanonicalizehostname false\ncheckhostip no\ncompression no\ncontrolmaster false\nenablesshkeysign no\nclearallforwardings no\nexitonforwardfailure no\nfingerprinthash SHA256\nforwardx11 no\nforwardx11trusted no\ngatewayports no\nhashknownhosts no\nhostbasedauthentication no\nidentitiesonly yes\nkbdinteractiveauthentication yes\nnohostauthenticationforlocalhost no\npasswordauthentication yes\npermitlocalcommand no\nproxyusefdpass no\npubkeyauthentication true\nrequesttty auto\nsessiontype default\nstdinnull no\nforkafterauthentication no\nstreamlocalbindunlink no\nstricthostkeychecking false\ntcpkeepalive yes\ntunnel false\nverifyhostkeydns false\nvisualhostkey no\nupdatehostkeys false\nenableescapecommandline no\nwarnweakcrypto yes\ncanonicalizemaxdots 1\nconnectionattempts 1\nforwardx11timeout 1200\nnumberofpasswordprompts 3\nserveralivecountmax 3\nserveraliveinterval 120\nrequiredrsasize 1024\nobscurekeystroketiming yes\nciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr\nhostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\nhostbasedacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\nkexalgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\ncasignaturealgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\nloglevel INFO\nmacs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\nsecuritykeyprovider internal\npubkeyacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256\nxauthlocation /usr/X11R6/bin/xauth\nidentityfile ~/.ssh/id_rsa\nidentityfile ~/.ssh/id_ecdsa\nidentityfile ~/.ssh/id_ecdsa_sk\nidentityfile ~/.ssh/id_ed25519\nidentityfile ~/.ssh/id_ed25519_sk\ncanonicaldomains none\nglobalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2\nuserknownhostsfile /dev/null\nlogverbose none\nchanneltimeout none\npermitremoteopen any\naddkeystoagent false\nforwardagent no\nconnecttimeout none\ntunneldevice any:any\ncanonicalizePermittedcnames none\ncontrolpersist no\nescapechar ~\nipqos ef cs0\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER'
+ sshUser=nixos
+ sshHost=192.168.0.170
+ [[ 0 != 1 ]]
+ sshConnection=root@192.168.0.170
+ uploadSshKey
+ local sshCopyHome=/home/jld3103
+ mkdir -p /home/jld3103/.ssh/
+ [[ -n '' ]]
+ ssh-keygen -t ed25519 -f /tmp/tmp.gQTl8HnoO3/nixos-anywhere -P '' -C nixos-anywhere
+ step Uploading install SSH keys
+ echo '### Uploading install SSH keys ###'
### Uploading install SSH keys ###
+ [[ y == y ]]
+ HOME=/home/jld3103
+ sshpass -e ssh-copy-id -o ConnectTimeout=10 -o IdentitiesOnly=yes -i /tmp/tmp.gQTl8HnoO3/nixos-anywhere -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@192.168.0.170
/nix/store/xl51g703s45npf1w4lsql5c78hilcbb7-openssh-10.2p1/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/tmp/tmp.gQTl8HnoO3/nixos-anywhere.pub"
/nix/store/xl51g703s45npf1w4lsql5c78hilcbb7-openssh-10.2p1/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/nix/store/xl51g703s45npf1w4lsql5c78hilcbb7-openssh-10.2p1/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '192.168.0.170' (ED25519) to the list of known hosts.
+ sleep 3
+ [[ y == y ]]
+ HOME=/home/jld3103
+ sshpass -e ssh-copy-id -o ConnectTimeout=10 -o IdentitiesOnly=yes -i /tmp/tmp.gQTl8HnoO3/nixos-anywhere -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@192.168.0.170
/nix/store/xl51g703s45npf1w4lsql5c78hilcbb7-openssh-10.2p1/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/tmp/tmp.gQTl8HnoO3/nixos-anywhere.pub"
/nix/store/xl51g703s45npf1w4lsql5c78hilcbb7-openssh-10.2p1/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/nix/store/xl51g703s45npf1w4lsql5c78hilcbb7-openssh-10.2p1/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '192.168.0.170' (ED25519) to the list of known hosts.
+ sleep 3
+ [[ y == y ]]
+ HOME=/home/jld3103
+ sshpass -e ssh-copy-id -o ConnectTimeout=10 -o IdentitiesOnly=yes -i /tmp/tmp.gQTl8HnoO3/nixos-anywhere -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@192.168.0.170
/nix/store/xl51g703s45npf1w4lsql5c78hilcbb7-openssh-10.2p1/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/tmp/tmp.gQTl8HnoO3/nixos-anywhere.pub"
/nix/store/xl51g703s45npf1w4lsql5c78hilcbb7-openssh-10.2p1/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/nix/store/xl51g703s45npf1w4lsql5c78hilcbb7-openssh-10.2p1/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
kex_exchange_identification: read: Connection reset by peer
Connection reset by 192.168.0.170 port 22
+ sleep 3Command Used
nix run github:nix-community/nixos-anywhere -- --flake .#serafina --env-password nixos@192.168.0.170 --debug --generate-hardware-config nixos-generate-config ./hosts/serafina/hardware-configuration.nix --disk-encryption-keys /tmp/secret.key /tmp/tmp.hXlAiS0fAu --phases disko
Target System
Bare metal server
NixOS Version
25.11
Environment Information
- Host OS: Arch Linux
- Nix version: 2.33.0
- Target architecture: x86_64
Configuration Files
Additional Context
No response