Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is my first post. I have been using Linux for sometime, but at a newbie level(looking up commands online to get me through). Now, I have been given system administration responsibility at my research group lab. Following is the problem I am facing:
One of the machine in the lab is only allowing the root to login, none of the other users can login. All the machines have CentOS 5 installed on them except this particular machine(it has CentOS 6). I don't think this is the reason though, because there was no problem for 2-3 months since CentOS 6 was installed.
Following is what I get with ssh -v
Code:
#ssh -V username@fakeserver
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to fakeserver [1**.***.***.***] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/identity type -1
debug1: identity file /home/username/.ssh/id_rsa type -1
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'fakeserver' is known and matches the RSA host key.
debug1: Found key in /home/username/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Next authentication method: publickey
debug1: Trying private key: /home/username/.ssh/identity
debug1: Trying private key: /home/username/.ssh/id_rsa
debug1: Trying private key: /home/username/.ssh/id_dsa
debug1: Next authentication method: password
# username@fakeserver's password:
# Connection closed by 1**.***.***.***
I think the machine is able to authenticate the user, but then closing the connection.
host=accesshost user=username
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: error reading keytab 'FILE:/etc/krb5.keytab'
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: TGT verified
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: authentication succeeds for 'accesshost' (username@server)
Jan 14 16:30:20 fakeserver sshd[11311]: pam_access(sshd:account): access denied for user `username' from `accesshost'
Jan 14 16:30:20 fakeserver sshd[11311]: Failed password for username from 1**.***.***.*** port 44008 ssh2
Jan 14 16:30:20 fakeserver sshd[11314]: fatal: Access denied for user yss107 by PAM account configuration
host=accesshost user=username
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: error reading keytab 'FILE:/etc/krb5.keytab'
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: TGT verified
Jan 14 16:30:18 fakeserver sshd[11311]: pam_krb5[11311]: authentication succeeds for 'accesshost' (username@server)
Jan 14 16:30:20 fakeserver sshd[11311]: pam_access(sshd:account): access denied for user `username' from `accesshost'
Jan 14 16:30:20 fakeserver sshd[11311]: Failed password for username from 1**.***.***.*** port 44008 ssh2
Jan 14 16:30:20 fakeserver sshd[11314]: fatal: Access denied for user yss107 by PAM account configuration
Hello YSS,
I have just checked my /etc/ssh/sshd_config as I recall a while back I had a similar problem as yours - I simply commented out the following lines, thus
I have just checked my /etc/ssh/sshd_config as I recall a while back I had a similar problem as yours - I simply commented out the following lines, thus
1. I assuming that when you generated the key files you were prompted to create a password? / When ssh'ing you were prompted for the password?
2. When running the ssh -v check the contents of /var/log/secure
3. Running ssh -vvv rather than simply ssh -v should provide you with more verbose output and may give more clues... Try this and then check the log file in step 2.
1. I assuming that when you generated the key files you were prompted to create a password? / When ssh'ing you were prompted for the password?
2. When running the ssh -v check the contents of /var/log/secure
3. Running ssh -vvv rather than simply ssh -v should provide you with more verbose output and may give more clues... Try this and then check the log file in step 2.
Rawcous!
Rawcous,
Yes, I was prompted for password when I was ssh'ing.
There is some more output with ssh -vvv
Code:
username@fakeserver's password:
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 1253
Connection closed by 1**.***.***.***
The log remains the save for ssh -v and ssh -vvv
The last two log entries(one with ssh -v and other with ssh -vvv) are as following:
Code:
Jan 14 17:48:38 fakeserver sshd[4464]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=accesshost user=username
Jan 14 17:48:38 fakeserver sshd[4464]: pam_krb5[4464]: error reading keytab 'FILE:/etc/krb5.keytab'
Jan 14 17:48:38 fakeserver sshd[4464]: pam_krb5[4464]: TGT verified
Jan 14 17:48:38 fakeserver sshd[4464]: pam_krb5[4464]: authentication succeeds for 'username' (username@server)
Jan 14 17:48:39 fakeserver sshd[4464]: pam_access(sshd:account): access denied for user `username' from `accesshost'
Jan 14 17:48:39 fakeserver sshd[4464]: Failed password for username from 1**.***.***.*** port 38086 ssh2
Jan 14 17:48:39 fakeserver sshd[4465]: fatal: Access denied for user username by PAM account configuration
Jan 14 17:49:03 fakeserver sshd[4475]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=accesshost user=username
Jan 14 17:49:03 fakeserver sshd[4475]: pam_krb5[4475]: error reading keytab 'FILE:/etc/krb5.keytab'
Jan 14 17:49:03 fakeserver sshd[4475]: pam_krb5[4475]: TGT verified
Jan 14 17:49:03 fakeserver sshd[4475]: pam_krb5[4475]: authentication succeeds for 'username' (user@server)
Jan 14 17:49:03 fakeserver sshd[4475]: pam_access(sshd:account): access denied for user `username' from `accesshost'
Jan 14 17:49:03 fakeserver sshd[4475]: Failed password for username from 1**.***.***.*** port 38088 ssh2
Jan 14 17:49:03 fakeserver sshd[4476]: fatal: Access denied for user username by PAM account configuration
My Slackware system doesn't use pam so I may be reading this wrong, but my interpretation of your error msgs is that you have not set up pam to authenticate 'user@1**.***.***.***' with a password. (Also, FYI, you've exposed one of your usernames in your post.)
YSS, you did not specify what kind of authentication you are using. The fact that root can login means local authentication is working. The krb5 error suggests your machines are set up to use Kerberos authentication, possibly from a Microsoft Active Directory server. The PAM authentication files are under /etc/pam.d, so check those files and compare to your other servers. If this is the case, you need to check the contents of the /etc/krb5.keytab file on the affected server, and compare that to the other servers where authentication is working. You may need to re-generate the keytab file for that server.
YSS, you did not specify what kind of authentication you are using. The fact that root can login means local authentication is working. The krb5 error suggests your machines are set up to use Kerberos authentication, possibly from a Microsoft Active Directory server. The PAM authentication files are under /etc/pam.d, so check those files and compare to your other servers. If this is the case, you need to check the contents of the /etc/krb5.keytab file on the affected server, and compare that to the other servers where authentication is working. You may need to re-generate the keytab file for that server.
I replaced the gdm and sshd files with the other server. This solved the problem. Thank you all for the help.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.