LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   LADP User Unable to Login via SSH (https://www.linuxquestions.org/questions/linux-security-4/ladp-user-unable-to-login-via-ssh-832257/)

shyl 09-15-2010 03:02 AM
LADP User Unable to Login via SSH
 
Hi there,
My case is that, the LADP user connected could not login via SSH. This user could login in the system console. And all the other users could login within ssh. And I was wondering whether any one could suggest which place to check next. And here is the detail:
I was using SUSE 11.3 when I met this error. PAM module is used, and the corresponding files in /etc/pam.d/ have all been updated. Here is what I've added:

Code:
yl-1:/etc/pam.d # fgrep ldap *pc
common-account-pc:account    [default=bad success=ok user_unknown=ignore] pam_ldap.so
common-auth-pc:auth    sufficient      pam_ldap.so    use_first_pass
common-password-pc:password    sufficient    pam_ldap.so use_authtok
common-session-pc:session    optional      pam_ldap.so
And here is what I've found in /var/log/message

Code:
Sep 15 15:03:06 yl-1 sshd[8252]: error: PAM: Permission denied for Admin_333333 from 192.168.99.27

evo2 09-15-2010 03:18 AM
Have you checked you sshd_config? For example:
Code:
grep UsePAM /etc/ssh/sshd_config
Another thing to do would be temporarily run sshd in debug mode (sshd -d) and try to ssh in as that user. You should then get much more information than the single log line you posted.

Cheers,

Evo2.

shyl 09-15-2010 09:33 PM
Hi Evo2,
The result returned from

Code:
grep UsePAM /etc/ssh/sshd_config
is

Code:
UsePAM yes
And your suggetion of running sshd with -d option does produce something, but quite beyond my knowledge. :-( Anyone can interpret this. The user admin_333333 is supposed to be the one retrieved from LDAP server.

Code:
debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 45
debug1: PAM: initializing for "admin_333333"
debug1: PAM: setting PAM_RHOST to "192.168.99.27"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user admin_333333 service ssh-connection method keyboard-interactive
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=admin_333333 devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: mm_sshpam_init_ctx
debug3: mm_request_send entering: type 48
debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX
debug3: mm_request_receive_expect entering: type 49
debug3: mm_request_receive entering
debug3: monitor_read: checking request 48
debug3: mm_answer_pam_init_ctx
debug3: PAM: sshpam_init_ctx entering
debug3: mm_request_send entering: type 49
debug3: mm_request_receive entering
debug3: mm_sshpam_query
debug3: mm_request_send entering: type 50
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: PAM: sshpam_thread_conv entering, 1 messages
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug3: mm_request_send entering: type 51
debug3: mm_request_receive entering
debug3: mm_sshpam_query: pam_query returned 0
Postponed keyboard-interactive for admin_333333 from 192.168.99.27 port 65421 ssh2
debug3: mm_sshpam_respond
debug3: mm_request_send entering: type 52
debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND
debug3: mm_request_receive_expect entering: type 53
debug3: mm_request_receive entering
debug3: monitor_read: checking request 52
debug3: mm_answer_pam_respond
debug2: PAM: sshpam_respond entering, 1 responses
debug3: ssh_msg_send: type 6
debug3: mm_request_send entering: type 53
debug3: mm_request_receive entering
debug3: mm_sshpam_respond: pam_respond returned 1
debug3: mm_sshpam_query
debug3: mm_request_send entering: type 50
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 7
debug3: PAM: Authentication failure
PAM: Permission denied for admin_333333 from 192.168.99.27
debug3: mm_request_send entering: type 51
debug3: mm_request_receive entering
debug3: mm_sshpam_query: pam_query returned -1
debug2: auth2_challenge_start: devices <empty>
debug3: mm_sshpam_free_ctx
debug3: mm_request_send entering: type 54
debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX
debug3: mm_request_receive_expect entering: type 55
debug3: mm_request_receive entering
debug3: monitor_read: checking request 54
debug3: mm_answer_pam_free_ctx
debug3: PAM: sshpam_free_ctx entering
debug3: PAM: sshpam_thread_cleanup entering
debug3: mm_request_send entering: type 55
debug2: monitor_read: 54 used once, disabling now
Failed keyboard-interactive/pam for admin_333333 from 192.168.99.27 port 65421 ssh2
Quote:
Originally Posted by evo2 (Post 4097974)
Have you checked you sshd_config? For example:
Code:
grep UsePAM /etc/ssh/sshd_config
Another thing to do would be temporarily run sshd in debug mode (sshd -d) and try to ssh in as that user. You should then get much more information than the single log line you posted.

Cheers,

Evo2.

evo2 09-15-2010 09:48 PM
Hi,

a line of interest in the sshd output is:
Quote:
debug3: PAM: Authentication failure
So it seems that the pam authentication is enabled but failing for some reason.

While I do have some experience debugging ssh auth failures, I don't have specific experience with pam/ldap configuration.

A quick google on the topic provided the following (here at lq):

http://wiki.linuxquestions.org/wiki/Pam_ldap

Perhaps you could check to make sure your configuration is consistent with what is described there.

HTH,

Evo2.

evo2 09-15-2010 09:48 PM
Hi,

a line of interest in the sshd output is:
Quote:
debug3: PAM: Authentication failure
So it seems that the pam authentication is enabled but failing for some reason.

While I do have some experience debugging ssh auth failures, I don't have specific experience with pam/ldap configuration.

A quick google on the topic provided the following (here at lq):

http://wiki.linuxquestions.org/wiki/Pam_ldap

Perhaps you could check to make sure your configuration is consistent with what is described there.

HTH,

Evo2.

shyl 09-16-2010 03:10 AM
Thank you Evo2. I created another VM and followed the steps instructed by http://wiki.linuxquestions.org/wiki/Pam_ldap and now this AD user is able to log with SSH. Guess there must be something wrong in my original /etc folder, but I just cannot tell where.

Lei

Quote:
Originally Posted by evo2 (Post 4098916)
Hi,

a line of interest in the sshd output is:

So it seems that the pam authentication is enabled but failing for some reason.

While I do have some experience debugging ssh auth failures, I don't have specific experience with pam/ldap configuration.

A quick google on the topic provided the following (here at lq):

http://wiki.linuxquestions.org/wiki/Pam_ldap

Perhaps you could check to make sure your configuration is consistent with what is described there.

HTH,

Evo2.


All times are GMT -5. The time now is 03:09 AM.