Unable to remote ssh login (permission denied)
 

Hi,

Im using RHEL 6. I have setup two user accounts as below:

1. john (home dir: /home/john)
2. robert (home dir: /home/john/robert)

After I setup both account, I’ve no problem to login using john account from remote terminal but login using robert was failed with error message ‘permission denied’.

This only happened when I used remote terminal to login but if used switch user (su –l robert) internally from the server which the user account robert was created, I managed to login.

My early assumption was this error occurred due to home dir of robert which was setup under john home dir. Unfortunately changing the permission of home dir also didn’t give any helps.

And fyi, I have no problem to login using other user accounts including root as these account home directories are independently setup unlike john and robert accounts.

I wonder if anyone has encountered the same issue when setting up such users account/home directories?

Really appreciate of your advice. Thanks.

Some additional information

# The error message when I tried to login from remote terminal
[root@lnx-test04 ~]# ssh lnx-test07 -l robert
robert@lnx-test07's password:
Permission denied, please try again.

# Error message from server lnx-test07 (/var/log/secure) where robert account was created
Jun 13 15:19:22 lnx-test07 sshd[17296]: pam_exec(sshd:auth): /usr/local/sbin/pam_check_home_dir.sh failed: exit code 1
Jun 13 15:19:24 lnx-test7 sshd[17296]: Failed password for robert from 172.xxx.xxx.xxx port 53626 ssh2

# Successfully login to robert account via (su – l spccaps) from the server where the robert account was created
[root@lnx-test04 ~]# su - robert
[robert@lnx-test04 ~]$

Appreciate of your help/advice. Thanks.

What does the shell script /usr/local/sbin/pam_check_home_dir.sh do?

Hi Z038,

This is the content of /usr/local/sbin/pam_check_home_dir.sh script. Please advice. Thanks.

#!/bin/sh
if [ -z "${PAM_USER}" ]; then
echo 'this script must be executed by PAM';
exit 1;
fi;

if [ $( id -u "${PAM_USER}" ) -eq 0 ]; then
test -d "/${PAM_USER}/";
else
test -d "/home/${PAM_USER}/";
fi;
## end-of-file

This section of the script

is checking whether the user's home directory exists as /<username> or /home/<username>.

That check will be successful for /home/john, but not for /home/john/robert. A home for john of /john would also work. So would /robert, or /home/robert.

You need to give robert a home of /robert or /home/robert.

Are you using pubkey authentication or password authentication? If it's pubkey, you may have a directory/file permission problem. For OpenSSH with pubkey authentication, the $HOME directory, the .ssh subdirectory, and the authorized_keys file can not be writeable by anyone but the owner, else remotely logging in will fail. Having the 'robert' $HOME as a subdirectory under the 'john' $HOME might cause permissions issues. Can't say I've ever tried that particular setup to know from experience.

I also see mention of "ssh2" in one of your log messages, and I believe that "2" is normally associated with Tectia SSH. Are you using Tectia or OpenSSH?

Looks like Z038 has your answer. He posted at the same time I was typing. I didn't look at your PAM script closely, but Z038 did, and pointed out the problem with the script. I'm not sure why the script would want to enforce a strict convention for $HOME directories anyway. True, most people put users under /home, but I've seen plenty of cases where that isn't true, and it's weird that PAM would try to enforce that convention.

Normally users home dirs are under /home, except for root user, which is under '/'.
Why on earth would you put one inside another; I can't believe that won't lead to problems (as you've seen).

Thanks Z038, haertig and chrism01 for your feedback.

FYI, I am migrating application from hp-ux to Linux and suddenly hit by this issue.
It's totally worked in HP-UX (it was run for years) but not Linux. By the way, is there still a way to carry similar account setup in Linux?

Your advice is highly appreciated. Thanks.

You'd obviously have to edit that PAM shell file.
I still think its bad design, even on HP-UX; I've never seen it before.

Thanks everyone for the help.
It solved my issue by changing the script.