LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-14-2014, 11:57 AM   #1
YSS
LQ Newbie
 
Registered: Jan 2014
Distribution: CentOS
Posts: 5

Rep: Reputation: Disabled
Problem in login via ssh


Hi,

This is my first post. I have been using Linux for sometime, but at a newbie level(looking up commands online to get me through). Now, I have been given system administration responsibility at my research group lab. Following is the problem I am facing:

One of the machine in the lab is only allowing the root to login, none of the other users can login. All the machines have CentOS 5 installed on them except this particular machine(it has CentOS 6). I don't think this is the reason though, because there was no problem for 2-3 months since CentOS 6 was installed.

Following is what I get with ssh -v
Code:
#ssh -V username@fakeserver
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to fakeserver [1**.***.***.***] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/identity type -1
debug1: identity file /home/username/.ssh/id_rsa type -1
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'fakeserver' is known and matches the RSA host key.
debug1: Found key in /home/username/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Next authentication method: publickey
debug1: Trying private key: /home/username/.ssh/identity
debug1: Trying private key: /home/username/.ssh/id_rsa
debug1: Trying private key: /home/username/.ssh/id_dsa
debug1: Next authentication method: password
# username@fakeserver's password:
# Connection closed by 1**.***.***.***
I think the machine is able to authenticate the user, but then closing the connection.

Please help in debugging this problem.

Thanks!!
 
Old 01-14-2014, 01:36 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Please post the contents of:
  • /etc/security/access.conf
  • /etc/ssh/sshd_config

And post the last few entries (immediately after a failed user login) from the sshd server's /var/log/secure.
 
Old 01-14-2014, 04:05 PM   #3
YSS
LQ Newbie
 
Registered: Jan 2014
Distribution: CentOS
Posts: 5

Original Poster
Rep: Reputation: Disabled
the output for /etc/security/access.conf

Code:
-:ALL EXCEPT root wheel shutdown sync ugm/up.fake.name.access.all ugm/up.fake.name.access.workstations:ALL
this is similar to all the other machines.



the output for /etc/ssh/sshd_config

Code:
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
PermitRootLogin yes
this is also similar in all the machines.


The failed user log is like this:

Code:
host=accesshost  user=username
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: error reading keytab 'FILE:/etc/krb5.keytab'
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: TGT verified
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: authentication succeeds for 'accesshost' (username@server)
Jan 14 16:30:20 fakeserver sshd[11311]: pam_access(sshd:account): access denied for user `username' from `accesshost'
Jan 14 16:30:20 fakeserver sshd[11311]: Failed password for username from 1**.***.***.*** port 44008 ssh2
Jan 14 16:30:20 fakeserver sshd[11314]: fatal: Access denied for user yss107 by PAM account configuration
 
Old 01-14-2014, 04:17 PM   #4
Rawcous
Member
 
Registered: Jan 2014
Location: Farnborough, Hampshire - UK
Distribution: Previously 2 * Fedora 18 Servers -> 2 * CentOS 6.7 + random distro testing
Posts: 96

Rep: Reputation: Disabled
Quote:
Originally Posted by YSS View Post
the output for /etc/security/access.conf

Code:
-:ALL EXCEPT root wheel shutdown sync ugm/up.fake.name.access.all ugm/up.fake.name.access.workstations:ALL
this is similar to all the other machines.



the output for /etc/ssh/sshd_config

Code:
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
PermitRootLogin yes
this is also similar in all the machines.


The failed user log is like this:

Code:
host=accesshost  user=username
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: error reading keytab 'FILE:/etc/krb5.keytab'
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: TGT verified
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: authentication succeeds for 'accesshost' (username@server)
Jan 14 16:30:20 fakeserver sshd[11311]: pam_access(sshd:account): access denied for user `username' from `accesshost'
Jan 14 16:30:20 fakeserver sshd[11311]: Failed password for username from 1**.***.***.*** port 44008 ssh2
Jan 14 16:30:20 fakeserver sshd[11314]: fatal: Access denied for user yss107 by PAM account configuration
Hello YSS,

I have just checked my /etc/ssh/sshd_config as I recall a while back I had a similar problem as yours - I simply commented out the following lines, thus

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

Also I ensured that the following was set within /etc/ssh/ssh_config

Host *
GSSAPIAuthentication yes


Ensuring I used the above, and then restarting the services resolved my issue....

Regards,

Rawcous!!
 
Old 01-14-2014, 04:31 PM   #5
YSS
LQ Newbie
 
Registered: Jan 2014
Distribution: CentOS
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Rawcous View Post
Hello YSS,

I have just checked my /etc/ssh/sshd_config as I recall a while back I had a similar problem as yours - I simply commented out the following lines, thus

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

Also I ensured that the following was set within /etc/ssh/ssh_config

Host *
GSSAPIAuthentication yes


Ensuring I used the above, and then restarting the services resolved my issue....

Regards,

Rawcous!!



I made the changes you suggested. It still does now work.
 
Old 01-14-2014, 04:46 PM   #6
Rawcous
Member
 
Registered: Jan 2014
Location: Farnborough, Hampshire - UK
Distribution: Previously 2 * Fedora 18 Servers -> 2 * CentOS 6.7 + random distro testing
Posts: 96

Rep: Reputation: Disabled
YSS,

1. I assuming that when you generated the key files you were prompted to create a password? / When ssh'ing you were prompted for the password?
2. When running the ssh -v check the contents of /var/log/secure
3. Running ssh -vvv rather than simply ssh -v should provide you with more verbose output and may give more clues... Try this and then check the log file in step 2.


Rawcous!
 
Old 01-14-2014, 04:59 PM   #7
YSS
LQ Newbie
 
Registered: Jan 2014
Distribution: CentOS
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Rawcous View Post
YSS,

1. I assuming that when you generated the key files you were prompted to create a password? / When ssh'ing you were prompted for the password?
2. When running the ssh -v check the contents of /var/log/secure
3. Running ssh -vvv rather than simply ssh -v should provide you with more verbose output and may give more clues... Try this and then check the log file in step 2.


Rawcous!
Rawcous,

Yes, I was prompted for password when I was ssh'ing.

There is some more output with ssh -vvv
Code:
username@fakeserver's password: 
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 1253
Connection closed by 1**.***.***.***
The log remains the save for ssh -v and ssh -vvv
The last two log entries(one with ssh -v and other with ssh -vvv) are as following:
Code:
Jan 14 17:48:38 fakeserver sshd[4464]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=accesshost  user=username
Jan 14 17:48:38 fakeserver sshd[4464]: pam_krb5[4464]: error reading keytab 'FILE:/etc/krb5.keytab'
Jan 14 17:48:38 fakeserver sshd[4464]: pam_krb5[4464]: TGT verified
Jan 14 17:48:38 fakeserver sshd[4464]: pam_krb5[4464]: authentication succeeds for 'username' (username@server)
Jan 14 17:48:39 fakeserver sshd[4464]: pam_access(sshd:account): access denied for user `username' from `accesshost'
Jan 14 17:48:39 fakeserver sshd[4464]: Failed password for username from 1**.***.***.*** port 38086 ssh2
Jan 14 17:48:39 fakeserver sshd[4465]: fatal: Access denied for user username by PAM account configuration

Jan 14 17:49:03 fakeserver sshd[4475]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=accesshost  user=username
Jan 14 17:49:03 fakeserver sshd[4475]: pam_krb5[4475]: error reading keytab 'FILE:/etc/krb5.keytab'
Jan 14 17:49:03 fakeserver sshd[4475]: pam_krb5[4475]: TGT verified
Jan 14 17:49:03 fakeserver sshd[4475]: pam_krb5[4475]: authentication succeeds for 'username' (user@server)
Jan 14 17:49:03 fakeserver sshd[4475]: pam_access(sshd:account): access denied for user `username' from `accesshost'
Jan 14 17:49:03 fakeserver sshd[4475]: Failed password for username from 1**.***.***.*** port 38088 ssh2
Jan 14 17:49:03 fakeserver sshd[4476]: fatal: Access denied for user username by PAM account configuration
 
Old 01-15-2014, 02:18 AM   #8
padeen
Member
 
Registered: Sep 2009
Location: Perth, W.A.
Distribution: Slackware 14, Debian Sid, FreeBSD 10, OpenBSD
Posts: 191

Rep: Reputation: 36
My Slackware system doesn't use pam so I may be reading this wrong, but my interpretation of your error msgs is that you have not set up pam to authenticate 'user@1**.***.***.***' with a password. (Also, FYI, you've exposed one of your usernames in your post.)
 
Old 01-15-2014, 08:25 AM   #9
slinx
Member
 
Registered: Apr 2008
Location: Cleveland, Ohio
Distribution: SuSE, CentOS, Fedora, Ubuntu
Posts: 106

Rep: Reputation: 23
YSS, you did not specify what kind of authentication you are using. The fact that root can login means local authentication is working. The krb5 error suggests your machines are set up to use Kerberos authentication, possibly from a Microsoft Active Directory server. The PAM authentication files are under /etc/pam.d, so check those files and compare to your other servers. If this is the case, you need to check the contents of the /etc/krb5.keytab file on the affected server, and compare that to the other servers where authentication is working. You may need to re-generate the keytab file for that server.
 
2 members found this post helpful.
Old 01-15-2014, 09:56 AM   #10
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
@YSS,

Code:
pam_krb5[11311]: error reading keytab 'FILE:/etc/krb5.keytab'
That appears to be the problem to investigate. Look into permissions, SELinux access denials, and slinx's comments (in the above post).
 
Old 01-17-2014, 04:00 PM   #11
YSS
LQ Newbie
 
Registered: Jan 2014
Distribution: CentOS
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by slinx View Post
YSS, you did not specify what kind of authentication you are using. The fact that root can login means local authentication is working. The krb5 error suggests your machines are set up to use Kerberos authentication, possibly from a Microsoft Active Directory server. The PAM authentication files are under /etc/pam.d, so check those files and compare to your other servers. If this is the case, you need to check the contents of the /etc/krb5.keytab file on the affected server, and compare that to the other servers where authentication is working. You may need to re-generate the keytab file for that server.
I replaced the gdm and sshd files with the other server. This solved the problem. Thank you all for the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SSH login problem for additional users after password-less login setup uncle-c Linux - Newbie 3 02-10-2010 12:51 PM
ssh login problem larryc6 Linux - General 3 02-15-2009 10:47 AM
SSH Problem - Can't login using Hostname, can login using ip address jqweezy Linux - Networking 7 01-26-2009 02:21 PM
SSH login problem thomas_fogh Linux - Networking 2 03-22-2006 12:42 PM
Another ssh login problem silver2003 Linux - Security 3 10-03-2004 08:44 AM


All times are GMT -5. The time now is 07:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration