LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-21-2013, 05:59 AM   #1
nowornever
LQ Newbie
 
Registered: Feb 2012
Posts: 4

Rep: Reputation: Disabled
Post Can not ssh in a server through non root user


Hi,
I have a server running RHEL 6.0.

While logging in through root ,I can login.But if I try to login through "integ" user,I am unable to login.

/var/log/secure messages:::
Code:
May 20 15:25:23 punsyncserv su: pam_unix(su-l:session): session opened for user integ by root(uid=0)
May 20 15:29:44 punsyncserv su: pam_unix(su-l:session): session closed for user integ
May 20 15:32:59 punsyncserv groupadd[6888]: group added to /etc/group: name=integ, GID=1003
May 20 15:32:59 punsyncserv groupadd[6888]: group added to /etc/gshadow: name=integ
May 20 15:32:59 punsyncserv groupadd[6888]: new group: name=integ, GID=1003
May 20 15:34:37 punsyncserv su: pam_unix(su-l:session): session opened for user integ by root(uid=0)
May 20 15:35:34 punsyncserv su: pam_unix(su:session): session opened for user integ by integ(uid=0)
May 20 18:33:30 punsyncserv sshd[6777]: pam_unix(sshd:session): session closed for user root
May 20 18:33:30 punsyncserv su: pam_unix(su-l:session): session closed for user integ
May 21 06:09:10 punsyncserv login: pam_unix(remote:auth): check pass; user unknown
May 21 06:09:10 punsyncserv login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/8 ruser= rhost=sssuse10b1
May 21 06:09:10 punsyncserv login: pam_succeed_if(remote:auth): error retrieving information about user nightly
May 21 06:09:18 punsyncserv login: FAILED LOGIN 1 FROM sssuse10b1 FOR nightly, User not known to the underlying authentication module
May 21 06:09:43 punsyncserv rshd[9839]: pam_rhosts(rsh:auth): allowed access to nightly@sssuse10b1.vx.xx.com as integ
May 21 11:50:58 punsyncserv sshd[10806]: Failed password for integ from 172.31.48.28 port 49939 ssh2
May 21 11:51:05 punsyncserv sshd[10806]: Failed password for integ from 172.31.48.28 port 49939 ssh2
May 21 11:51:10 punsyncserv sshd[10806]: Failed password for integ from 172.31.48.28 port 49939 ssh2
May 21 11:59:19 punsyncserv sshd[10869]: Failed password for integ from 172.31.48.28 port 53831 ssh2
May 21 12:00:21 punsyncserv sshd[10869]: Failed password for integ from 172.31.48.28 port 53831 ssh2
May 21 12:00:59 punsyncserv sshd[10875]: Failed password for integ from 10.210.135.31 port 58103 ssh2
May 21 15:09:25 punsyncserv sshd[11410]: Connection closed by 172.31.48.15
May 21 15:11:31 punsyncserv sshd[11421]: Accepted password for root from 172.31.48.106 port 64479 ssh2
May 21 15:11:31 punsyncserv sshd[11421]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 21 15:16:51 punsyncserv sshd[11457]: Connection closed by 172.31.48.106
May 21 15:47:08 punsyncserv sshd[11565]: Failed password for integ from 172.31.48.106 port 57542 ssh2
May 21 16:18:14 punsyncserv sshd[11691]: Accepted password for root from 172.31.48.15 port 51139 ssh2
May 21 16:18:14 punsyncserv sshd[11691]: pam_unix(sshd:session): session opened for user root by (uid=0)

Also ,output of w command is:
Code:
 16:26:24 up 195 days,  3:02, 13 users,  load average: 1.26, 1.42, 1.52
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    v-034999a.punin. 30Mar13 25:02m  0.22s  0.22s telnet 0
integ    pts/1    v-034999a.punin. 22Apr13 23:07m  0.16s  0.08s bash
integ    pts/2    v-069090a.punin. 13May13  7days  0.04s  1.59s sshd: integ [priv]
integ    pts/3    v-069090a.punin. Fri15    4days  3:01m  0.80s sshd: integ [priv]
integ    pts/4    v-069090a.punin. 27Feb13 15days  1:14m 16.50s sshd: integ [priv]
integ    pts/6    v-069090a.punin. Fri15   27:22m  0.35s  0.80s sshd: integ [priv]
integ    pts/7    v-069090a.punin. Mon14    4:29m 19:27   0.24s sshd: integ [priv]
root     pts/8    172.31.48.106    15:11    0.00s  0.31s  0.00s w
integ    pts/9    v-034999a.punin. 01Apr13  2days  0.64s  9.91s sshd: integ [priv]
integ    pts/5    localhost        30Mar13 25:02m  0.04s  0.00s login -- integ
root     pts/10   v-069090a.punin. 12Apr13  7days  0.66s  0.03s bash
integ    pts/11   v-069090a.punin. 15Apr13  4days 10:02m  7.16s sshd: integ [priv]
root     pts/12   172.31.48.15     16:18    0.00s  0.03s  0.03s -bash

I am assuming there is no limit of connections from a user to server using ssh.Also,output of /etc/passwd for " integ" user is::
cat /etc/passwd|grep -i integ
integ:x:501:502::/home/integ:/bin/bash

cat /etc/group|grep -i integ
integ:x:1003:

Also, ssh -vvv output from remote system::

Code:
ssh -vvv integ@punsyncserv.vx.xx.com
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to punsyncserv.vx.xx.com [10.209.11.90] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro                                                                             up14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12                                                                             8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij                                                                             ndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12                                                                             8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij                                                                             ndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open                                                                             ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open                                                                             ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g                                                                             roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12                                                                             8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij                                                                             ndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12                                                                             8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij                                                                             ndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160                                                                             ,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160                                                                             ,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 139/256
debug2: bits set: 502/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug2: no key of type 0 for host punsyncserv.vx.xx.com
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug2: no key of type 2 for host punsyncserv.vx.xx.com
The authenticity of host 'punsyncserv.vx.xx.com (10.209.11.90)' can't                                                                              be established.
RSA key fingerprint is 8f:ce:a5:24:13:34:34:1f:dc:9c:57:5b:09:15:2e:b2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'punsyncserv.vx.xx.com,10.209.11.90' (RSA)                                                                              to the list of known hosts.
debug2: bits set: 538/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.209.11.90.
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
integ@punsyncserv.vx.xx.com's password:
debug3: packet_send2: adding 64 (len 56 padlen 8 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
integ@punsyncserv.vx.xx.com's password:
debug3: packet_send2: adding 64 (len 56 padlen 8 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
integ@punsyncserv.vx.xx.com's password:
Can anyone help me troubleshoot this.

Thanks in advance.
Amit

Last edited by unSpawn; 05-21-2013 at 04:53 PM. Reason: //Added BB code tags
 
Old 05-21-2013, 06:52 PM   #2
minty33
Member
 
Registered: Aug 2012
Location: earth
Distribution: Mint Xfce, Korora Gnome3, Ubuntu Server NoGui,
Posts: 136

Rep: Reputation: 1
it seems like you don't have the appropriate key or if not using keys then you don't have a shadowpassword password on the computer your logging into. if you are using keys the users ssh key directory needs 700 permissions and obviously contain the key to be accessible, and the key itself plus the known_hosts files needs 600 permissions for you user be able to log in this way.
FYI. while i believe ppl on this forum to be trustworthy i would still advise against posting output that includes your username, ip adddress and port. you are 1 brute force from being compromised. even if using a key it is dangerous, unless that key also requires a strong passphrase it could be trouble.

Last edited by minty33; 05-21-2013 at 07:02 PM.
 
Old 05-21-2013, 08:10 PM   #3
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,289

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
It could be ownerships/perms on key file/dir as above.
See also sshd_config restrictions such as Allow/Deny users/groups, address ranges etc http://www.openbsd.org/cgi-bin/man.c...nfig&sektion=5

Last edited by chrism01; 05-23-2013 at 12:01 AM. Reason: typo
 
Old 05-22-2013, 10:48 AM   #4
nowornever
LQ Newbie
 
Registered: Feb 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hi,few more settings which may be rquired.I am yet to find a solution::

cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted


ls -l /etc/shadow
----------. 1 root root 818 May 6 2011 /etc/shadow


ls -l /etc/passwd
-rw-r--r-- 1 root root 1452 May 20 15:22 /etc/passwd


cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth



cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so



cat password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid


above 3 files are located in /etc/pam.d/


This is a NIS client machine,so :::

ypcat passwd|grep integ
integ:McO2wI4wOYX1U:437:110::/home/integ:/bin/csh


ypmatch integ passwd
integ:McO2wI4wOYX1U:437:110::/home/integ:/bin/csh


getent passwd integ
integ:x:501:502::/home/integ:/bin/bash


Also,if i try to access cron of "integ" user:::"

crontab -u integ -l

Authentication service cannot retrieve authentication info
You (integ) are not allowed to access to (crontab) because of pam configuration.
You have mail in /var/spool/mail/root

Please suggest guys.

Thanks ,
Amit
 
Old 05-23-2013, 03:48 PM   #5
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,471
Blog Entries: 6

Rep: Reputation: Disabled
Here's what I do:

bookmark http://www.linuxquestions.org/questi...erences-45261/

or just make a "new" key using:
Code:
ssh-keygen -f /home/$(whoami)/.ssh/my_key -t rsa -N '' -q
then copy /home/$(whoami)/.ssh/my_key.pub contents to /home/$user/.ssh/authorized_keys@remote host.
and on the remote host...
Code:
chmod 700 /home/$user/.ssh
chmod 600 /home/$user/.ssh/authorized_keys
Usage:
Code:
ssh -i /path/to/my_key user@host.com
If you already have a key, then you can use this recipe to verify.
I suspect directory and file perms also as Chrism01 has said.

Good Luck.

Last edited by Habitual; 05-23-2013 at 05:25 PM.
 
Old 05-28-2013, 10:39 AM   #6
PenguinWearsFedora
Member
 
Registered: Jul 2009
Distribution: Slackware-14
Posts: 52

Rep: Reputation: 1
Quote:
Originally Posted by nowornever View Post
Hi,few more settings which may be rquired.I am yet to find a solution::
.......

ls -l /etc/shadow
----------. 1 root root 818 May 6 2011 /etc/shadow

..............
The permission seems odd, mine is:
Code:
# ls -l /etc/shadow
-rw-r----- 1 root shadow 760 May 10 10:58 /etc/shadow
Do
Code:
# chmod 640 /etc/shadow
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SSH by key for non-root user tquang Linux - Security 5 09-13-2012 09:27 AM
ssh without password -- non-root user Sanford Stein Linux - Newbie 18 03-31-2010 12:10 PM
SSH as user failed but root? romeo_tango Linux - Security 7 12-15-2009 04:47 AM
SSH root login from different user Seregwethrin Linux - Software 4 05-21-2009 02:54 PM


All times are GMT -5. The time now is 11:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration