LADP User Unable to Login via SSH

shyl · 09-15-2010, 03:02 AM

Hi there,
My case is that, the LADP user connected could not login via SSH. This user could login in the system console. And all the other users could login within ssh. And I was wondering whether any one could suggest which place to check next. And here is the detail:
I was using SUSE 11.3 when I met this error. PAM module is used, and the corresponding files in /etc/pam.d/ have all been updated. Here is what I've added:

Code:

yl-1:/etc/pam.d # fgrep ldap *pc
common-account-pc:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
common-auth-pc:auth     sufficient      pam_ldap.so     use_first_pass
common-password-pc:password    sufficient    pam_ldap.so use_authtok
common-session-pc:session     optional      pam_ldap.so

And here is what I've found in /var/log/message

Code:

Sep 15 15:03:06 yl-1 sshd[8252]: error: PAM: Permission denied for Admin_333333 from 192.168.99.27

evo2 · 09-15-2010, 03:18 AM

Have you checked you sshd_config? For example:

Code:

grep UsePAM /etc/ssh/sshd_config

Another thing to do would be temporarily run sshd in debug mode (sshd -d) and try to ssh in as that user. You should then get much more information than the single log line you posted.

Cheers,

Evo2.

shyl · 09-15-2010, 09:33 PM

Hi Evo2,
The result returned from

Code:

grep UsePAM /etc/ssh/sshd_config

is

Code:

UsePAM yes

And your suggetion of running sshd with -d option does produce something, but quite beyond my knowledge. :-( Anyone can interpret this. The user admin_333333 is supposed to be the one retrieved from LDAP server.

Code:

debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 45
debug1: PAM: initializing for "admin_333333"
debug1: PAM: setting PAM_RHOST to "192.168.99.27"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user admin_333333 service ssh-connection method keyboard-interactive
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=admin_333333 devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: mm_sshpam_init_ctx
debug3: mm_request_send entering: type 48
debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX
debug3: mm_request_receive_expect entering: type 49
debug3: mm_request_receive entering
debug3: monitor_read: checking request 48
debug3: mm_answer_pam_init_ctx
debug3: PAM: sshpam_init_ctx entering
debug3: mm_request_send entering: type 49
debug3: mm_request_receive entering
debug3: mm_sshpam_query
debug3: mm_request_send entering: type 50
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: PAM: sshpam_thread_conv entering, 1 messages
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug3: mm_request_send entering: type 51
debug3: mm_request_receive entering
debug3: mm_sshpam_query: pam_query returned 0
Postponed keyboard-interactive for admin_333333 from 192.168.99.27 port 65421 ssh2
debug3: mm_sshpam_respond
debug3: mm_request_send entering: type 52
debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND
debug3: mm_request_receive_expect entering: type 53
debug3: mm_request_receive entering
debug3: monitor_read: checking request 52
debug3: mm_answer_pam_respond
debug2: PAM: sshpam_respond entering, 1 responses
debug3: ssh_msg_send: type 6
debug3: mm_request_send entering: type 53
debug3: mm_request_receive entering
debug3: mm_sshpam_respond: pam_respond returned 1
debug3: mm_sshpam_query
debug3: mm_request_send entering: type 50
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 7
debug3: PAM: Authentication failure
PAM: Permission denied for admin_333333 from 192.168.99.27
debug3: mm_request_send entering: type 51
debug3: mm_request_receive entering
debug3: mm_sshpam_query: pam_query returned -1
debug2: auth2_challenge_start: devices <empty>
debug3: mm_sshpam_free_ctx
debug3: mm_request_send entering: type 54
debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX
debug3: mm_request_receive_expect entering: type 55
debug3: mm_request_receive entering
debug3: monitor_read: checking request 54
debug3: mm_answer_pam_free_ctx
debug3: PAM: sshpam_free_ctx entering
debug3: PAM: sshpam_thread_cleanup entering
debug3: mm_request_send entering: type 55
debug2: monitor_read: 54 used once, disabling now
Failed keyboard-interactive/pam for admin_333333 from 192.168.99.27 port 65421 ssh2

Quote:

Originally Posted by evo2

Have you checked you sshd_config? For example:

Code:

grep UsePAM /etc/ssh/sshd_config

Another thing to do would be temporarily run sshd in debug mode (sshd -d) and try to ssh in as that user. You should then get much more information than the single log line you posted.

Cheers,

Evo2.

evo2 · 09-15-2010, 09:48 PM

Hi,

a line of interest in the sshd output is:

Quote:

debug3: PAM: Authentication failure

So it seems that the pam authentication is enabled but failing for some reason.

While I do have some experience debugging ssh auth failures, I don't have specific experience with pam/ldap configuration.

A quick google on the topic provided the following (here at lq):

http://wiki.linuxquestions.org/wiki/Pam_ldap

Perhaps you could check to make sure your configuration is consistent with what is described there.

HTH,

Evo2.

evo2 · 09-15-2010, 09:48 PM

Hi,

a line of interest in the sshd output is:

Quote:

debug3: PAM: Authentication failure

So it seems that the pam authentication is enabled but failing for some reason.

While I do have some experience debugging ssh auth failures, I don't have specific experience with pam/ldap configuration.

A quick google on the topic provided the following (here at lq):

http://wiki.linuxquestions.org/wiki/Pam_ldap

Perhaps you could check to make sure your configuration is consistent with what is described there.

HTH,

Evo2.

shyl · 09-16-2010, 03:10 AM

Thank you Evo2. I created another VM and followed the steps instructed by http://wiki.linuxquestions.org/wiki/Pam_ldap and now this AD user is able to log with SSH. Guess there must be something wrong in my original /etc folder, but I just cannot tell where.

Lei

Quote:

Originally Posted by evo2

Hi,

a line of interest in the sshd output is:

So it seems that the pam authentication is enabled but failing for some reason.

While I do have some experience debugging ssh auth failures, I don't have specific experience with pam/ldap configuration.

A quick google on the topic provided the following (here at lq):

http://wiki.linuxquestions.org/wiki/Pam_ldap

Perhaps you could check to make sure your configuration is consistent with what is described there.

HTH,

Evo2.