LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-16-2011, 10:16 PM   #1
Aaron.D
LQ Newbie
 
Registered: Feb 2011
Posts: 3

Rep: Reputation: 0
Question sshd with sssd help needed


I hope that this is the correct forum to post this question.

I've configured sssd for ldap/kerberos authentication on an RHEL6 machine. This is working fine when a user authenticates to tty but when attempting to authenticate through ssh I just get an "Access Denied." However, local accounts can login and authenticate through ssh. Also, getent passwd account name returns the proper values from the ldap server.

I believe that the issue is when the sshd calls PAM for authentication but can't seem to find where the breakdown is occurring? And yes, I did make sure that /etc/ssh/sshd_config has UsePAM set to yes.

I've looked through all the logs and don't see anything obvious. Has anyone seen this or does anyone have any suggestions on where to look?

Thank you in advance.

-Aaron
 
Old 02-17-2011, 04:12 AM   #2
thegeek
Member
 
Registered: Oct 2009
Location: Amsterdam
Distribution: CentOS,Fedora,Puppy
Posts: 62

Rep: Reputation: 20
ssh -vvvv to be very verbose should give you more information
 
1 members found this post helpful.
Old 02-17-2011, 06:23 PM   #3
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
There aren't any restrictions on who can log in in the configuration is there? If you disable local account authentication and only have PAM can you log in then with an LDAP account.
 
Old 02-18-2011, 10:41 AM   #4
Aaron.D
LQ Newbie
 
Registered: Feb 2011
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the reply scheidel21.

There aren't any restrictions on who can log in that I'm aware of through sshd... where would I check other than the /etc/ssh/sshd.conf file?

If I disable local authentication I can still log in to the console with the LDAP users but can't log in through SSH.

@thegeek
Thanks for the reply... I've tried connecting with ssh -vvvvv and there isn't anything obvious shown. The LDAP look up seems to occur and find the account but the password comes back as incorrect and access is denied.

-Aaron
 
Old 02-18-2011, 09:17 PM   #5
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
Is the LDAP authentication for Active Directory in a Windows environment?
 
Old 03-07-2011, 08:27 PM   #6
sgallagh
LQ Newbie
 
Registered: Mar 2011
Posts: 26

Rep: Reputation: 12
There are a couple things you should check. The first would be to examine /var/log/secure for activity while attempting to log in via SSH to an LDAP user. This will tell you if you're getting denied by pam_sss.so (or if pam_sss.so is returning an internal error).

If you're getting a denial or error from pam_sss.so, you probably want to turn on debug logging in /etc/sssd/sssd.conf by setting 'debug_level = 6' in the [domain/<domainname>] section. This will log to /var/log/sssd/sssd_<domainname>.log. Check this output for any problems (you can turn the debug level up to as high as 9, but it gets noisy).

Also, when you said logging into tty works, did you mean that literally, or did you mean GDM? If the latter, you may need to check whether /etc/pam.d/system-auth AND /etc/pam.d/password-auth mentions pam_sss.so.

If this doesn't help, or your look at the logs turns up an issue, please subscribe to https://fedorahosted.org/mailman/listinfo/sssd-devel and ask for help there.

--
Stephen Gallagher
Lead Developer, System Security Services Daemon
 
Old 03-10-2011, 11:00 AM   #7
Aaron.D
LQ Newbie
 
Registered: Feb 2011
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the replies.

Yes, the backend LDAP server is a Windows AD server.

I had looked through all of the /var/log/secure entries and /var/log/sssd entries, but did find anything useful in there to indicate where the issue was.

The issue ended up being that I was unaware RHEL6 doesn't only use /etc/pam.d/system-auth-ac but also /etc/pam.d/password-auth-ac for the ssh connection. Once I added the pam_sss.so entries into password-auth-ac the authentication worked both on the console and also remotely through SSH.

This thread can be closed.

Thanks,

Aaron
 
Old 11-15-2012, 11:52 PM   #8
R09u3Bull
LQ Newbie
 
Registered: Nov 2012
Posts: 15

Rep: Reputation: Disabled
Hi Aaron,Stephen
I am facing the same issue. But I cant get any output on the getent command. I have my ldap searches working fine. Followed all steps in the Red Hat ref arch guide regarding SSSD/Kerberos/LDAP setup.

This is the entry in the var/log/secure :

Code:
Nov 15 23:31:38 ip-10-0-5-51 sshd[12410]: Invalid user test_user from 10.0.5.51
Nov 15 23:31:38 ip-10-0-5-51 sshd[12411]: input_userauth_request: invalid user test_user
Nov 15 23:31:43 ip-10-0-5-51 sshd[12410]: pam_unix(sshd:auth): check pass; user unknown
Nov 15 23:31:43 ip-10-0-5-51 sshd[12410]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.51 
Nov 15 23:31:43 ip-10-0-5-51 sshd[12410]: pam_succeed_if(sshd:auth): error retrieving information about user test_user
Nov 15 23:31:45 ip-10-0-5-51 sshd[12410]: Failed password for invalid user test_user from 10.0.5.51 port 41190 ssh2
Nov 15 23:31:48 ip-10-0-5-51 sshd[12411]: Connection closed by 10.0.5.51
Nov 15 23:31:59 ip-10-0-5-51 sshd[12414]: Invalid user test1 from 10.0.5.51
Nov 15 23:31:59 ip-10-0-5-51 sshd[12415]: input_userauth_request: invalid user test1
Nov 15 23:32:03 ip-10-0-5-51 sshd[12414]: pam_unix(sshd:auth): check pass; user unknown
Nov 15 23:32:03 ip-10-0-5-51 sshd[12414]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.51 
Nov 15 23:32:03 ip-10-0-5-51 sshd[12414]: pam_succeed_if(sshd:auth): error retrieving information about user test1
Nov 15 23:32:05 ip-10-0-5-51 sshd[12414]: Failed password for invalid user test1 from 10.0.5.51 port 41192 ssh2
Nov 15 23:32:07 ip-10-0-5-51 sshd[12415]: Connection closed by 10.0.5.51

Can anybody help getting a valid ouptut on the getent command ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied sumanc Linux - Server 5 03-28-2008 04:59 AM
FC4-Starting sshd: Privilege separation user sshd does not exist FAILED kiranherekar Fedora 5 12-29-2005 02:22 PM
Enabling SSH in mandrake 9.2 - sshd vs. sshd-xinetd DogTags Linux - Newbie 7 11-25-2003 12:17 PM
HowTo or FAQ for "sshd" needed albean Linux - Newbie 4 12-15-2002 09:05 AM


All times are GMT -5. The time now is 02:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration