LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   sshd with sssd help needed (http://www.linuxquestions.org/questions/linux-server-73/sshd-with-sssd-help-needed-863201/)

Aaron.D 02-16-2011 10:16 PM

sshd with sssd help needed
 
I hope that this is the correct forum to post this question.

I've configured sssd for ldap/kerberos authentication on an RHEL6 machine. This is working fine when a user authenticates to tty but when attempting to authenticate through ssh I just get an "Access Denied." However, local accounts can login and authenticate through ssh. Also, getent passwd account name returns the proper values from the ldap server.

I believe that the issue is when the sshd calls PAM for authentication but can't seem to find where the breakdown is occurring? And yes, I did make sure that /etc/ssh/sshd_config has UsePAM set to yes.

I've looked through all the logs and don't see anything obvious. Has anyone seen this or does anyone have any suggestions on where to look?

Thank you in advance.

-Aaron

thegeek 02-17-2011 04:12 AM

ssh -vvvv to be very verbose should give you more information

scheidel21 02-17-2011 06:23 PM

There aren't any restrictions on who can log in in the configuration is there? If you disable local account authentication and only have PAM can you log in then with an LDAP account.

Aaron.D 02-18-2011 10:41 AM

Thanks for the reply scheidel21.

There aren't any restrictions on who can log in that I'm aware of through sshd... where would I check other than the /etc/ssh/sshd.conf file?

If I disable local authentication I can still log in to the console with the LDAP users but can't log in through SSH.

@thegeek
Thanks for the reply... I've tried connecting with ssh -vvvvv and there isn't anything obvious shown. The LDAP look up seems to occur and find the account but the password comes back as incorrect and access is denied.

-Aaron

scheidel21 02-18-2011 09:17 PM

Is the LDAP authentication for Active Directory in a Windows environment?

sgallagh 03-07-2011 08:27 PM

There are a couple things you should check. The first would be to examine /var/log/secure for activity while attempting to log in via SSH to an LDAP user. This will tell you if you're getting denied by pam_sss.so (or if pam_sss.so is returning an internal error).

If you're getting a denial or error from pam_sss.so, you probably want to turn on debug logging in /etc/sssd/sssd.conf by setting 'debug_level = 6' in the [domain/<domainname>] section. This will log to /var/log/sssd/sssd_<domainname>.log. Check this output for any problems (you can turn the debug level up to as high as 9, but it gets noisy).

Also, when you said logging into tty works, did you mean that literally, or did you mean GDM? If the latter, you may need to check whether /etc/pam.d/system-auth AND /etc/pam.d/password-auth mentions pam_sss.so.

If this doesn't help, or your look at the logs turns up an issue, please subscribe to https://fedorahosted.org/mailman/listinfo/sssd-devel and ask for help there.

--
Stephen Gallagher
Lead Developer, System Security Services Daemon

Aaron.D 03-10-2011 11:00 AM

Thanks for the replies.

Yes, the backend LDAP server is a Windows AD server.

I had looked through all of the /var/log/secure entries and /var/log/sssd entries, but did find anything useful in there to indicate where the issue was.

The issue ended up being that I was unaware RHEL6 doesn't only use /etc/pam.d/system-auth-ac but also /etc/pam.d/password-auth-ac for the ssh connection. Once I added the pam_sss.so entries into password-auth-ac the authentication worked both on the console and also remotely through SSH.

This thread can be closed.

Thanks,

Aaron

R09u3Bull 11-15-2012 11:52 PM

Hi Aaron,Stephen
I am facing the same issue. But I cant get any output on the getent command. I have my ldap searches working fine. Followed all steps in the Red Hat ref arch guide regarding SSSD/Kerberos/LDAP setup.

This is the entry in the var/log/secure :

Code:

Nov 15 23:31:38 ip-10-0-5-51 sshd[12410]: Invalid user test_user from 10.0.5.51
Nov 15 23:31:38 ip-10-0-5-51 sshd[12411]: input_userauth_request: invalid user test_user
Nov 15 23:31:43 ip-10-0-5-51 sshd[12410]: pam_unix(sshd:auth): check pass; user unknown
Nov 15 23:31:43 ip-10-0-5-51 sshd[12410]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.51
Nov 15 23:31:43 ip-10-0-5-51 sshd[12410]: pam_succeed_if(sshd:auth): error retrieving information about user test_user
Nov 15 23:31:45 ip-10-0-5-51 sshd[12410]: Failed password for invalid user test_user from 10.0.5.51 port 41190 ssh2
Nov 15 23:31:48 ip-10-0-5-51 sshd[12411]: Connection closed by 10.0.5.51
Nov 15 23:31:59 ip-10-0-5-51 sshd[12414]: Invalid user test1 from 10.0.5.51
Nov 15 23:31:59 ip-10-0-5-51 sshd[12415]: input_userauth_request: invalid user test1
Nov 15 23:32:03 ip-10-0-5-51 sshd[12414]: pam_unix(sshd:auth): check pass; user unknown
Nov 15 23:32:03 ip-10-0-5-51 sshd[12414]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.51
Nov 15 23:32:03 ip-10-0-5-51 sshd[12414]: pam_succeed_if(sshd:auth): error retrieving information about user test1
Nov 15 23:32:05 ip-10-0-5-51 sshd[12414]: Failed password for invalid user test1 from 10.0.5.51 port 41192 ssh2
Nov 15 23:32:07 ip-10-0-5-51 sshd[12415]: Connection closed by 10.0.5.51


Can anybody help getting a valid ouptut on the getent command ?


All times are GMT -5. The time now is 02:43 PM.