how to log in as root on Red Hat supplied guest image

Latest response

Using the RHOS 3.0 Getting Started Guide (GSG) to get started, I recently did the following:
- downloaded a guest image from Red Hat
- ran virt-sysprep against it (per instructions in the GSG - is it needed for the Red Hat supplied image, too?)
- used glance image-create to upload the image to glance
(so far so good)
- used nova boot to launch an instance using the image I just uploaded
(Note I had to do a nova keypair-add to create the key_name to use but this step was missing in the GSG)

Now, at the end of section 7.2 in the GSG, it says I can ssh into the instance. The example shows
ssh -I oskey.priv root@

I now know that the oskey term should match whatever the name of the keypair that I created. But the .priv portion did not work for me. I tried .pub because when I created the keypair I gave it the location of my public key ( And the ipaddress needs to match the ipaddress reported in nova list.

Now, when I used all the right key names and ip addresses, it wouldn't let me log in as root. It said,
Please login as user "cloud-user" rather than the user "root".

This is from the Red Hat guest image I downloaded from Red Hat. Is there a way to log in as the root user using that image?



Note - I was able to log in as cloud-user just not as root.

When you create a ssh key pair from dashboard or command line, you would get a xxxx.pem file for download. This is what you need to use with -i and is the private key. The public key from the pair is injected to the image by nova when you launch the instance.

If you want to ssh as root, you have to set a root password before uploading the image. This is not recommended, instead use the ssh key authentication.

See details at

Sadique you can ssh as root as long as as you re-enable root. Re-enabling root by adding

PermitRootLogin yes

in /etc/ssh/sshd.conf will allow you to login as root provided you have injected your public key.

When I use mykey.priv or to ssh into the instance, I get the following:
Warning: Identity file mykey.priv not accessible: No such file or directory.

When I do not use a key to ssh into the instance, I don't get any message.

Is this normal?

BTW - In both cases I am logged in as cloud-user on the instance.

I haven't tried the steps in the referenced link yet (thanks for the pointer).


I think I found out that the file referenced with ssh -i must either specified with a full path to it or be in the local directory.

You can allow root to login by taking a close look at /root/.ssh/authorized_keys

Remove command before the key:

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"cloud-user\" rather than the user \"root\".';echo;sleep 10"

you can use cloud init to re-enable root, enable pwauth, and change the password for root, as well as setting root password access for root.

# vim:syntax=yaml
debug: True
ssh_pwauth: True
disable_root: false
  list: |
  expire: false
- sed -i'.orig' -e's/without-password/yes/' /etc/ssh/sshd_config
- service sshd restart

Setting a password lets you in locally, but you still can't ssh in unless you remove the command in authorized_keys

Scotty that is why using cloud-init works so well, not only do you add a root password, or add your ssh key, you can also make system changes via the command line. For all of the uses of cloud-init there is a site full of examples found here

On a RHEL6 image that I created it looks like root logins are being blocked by ChallengeResponseAuthentication


# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

So commenting out the no line and uncommenting the yes line

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

And restart of sshd seems to open it up just fine.

I assume root lock out may change over time with cloud-init updates.

[root@rhel6-projectx-2 ~]# rpm -qa | grep cloud-init

So modification of Dexter's cloud-config example could work with the above.

Also one of the nice things about building your own images is you set your own root password. I don't like how the password modifications are shown in plain text with the cloud-config.

So by creating you own images you can use the ssh key to login and then su - to root

Thanks, Dave!

create the public and private keys , upload to the RHEL image, then ssh -i private-key name -l cloud-user "server-IP". Tou should be able to login as cloud-user now just run sudo -s to login as root. It's better that root is not used as direct login to ssh.

Hi all,

I've just created a vm with rhel7.1 installed over with a red hat openstack enviroment. I would like to log in via terminal.

Wick password can I use for user cloud-user?

Thanks & regards, Federico

A Red-Hatter named "John Call" provided the following a while ago in a different discussion:

John Call of Red Hat said "there is an easier way to do this. I also remove "cloud-init" when I'm using Virtual Machine Manager / Boxes / VMware Workstation / etc..."

Example for RHEL7

$ virt-customize -a rhel-guest-image-7.2-20160302.0.x86_64.qcow2 --root-password password:PASSW0RD --uninstall cloud-init
[   0.0] Examining the guest ...
[  12.1] Setting a random seed
[  12.1] Uninstalling packages: cloud-init
[  14.5] Setting passwords
[  15.9] Finishing off

It also works for RHEL6

$ virt-customize -a rhel-guest-image-6.8-20160425.0.x86_64.qcow2 --root-password password:PASSW0RD --uninstall cloud-init
[   0.0] Examining the guest ...
[  14.5] Setting a random seed
[  14.5] Uninstalling packages: cloud-init
[  17.0] Setting passwords
[  18.1] Finishing off

change the version number appropriately in the above examples