Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-10-2010, 05:52 PM   #1
LQ Newbie
Registered: Oct 2010
Posts: 1

Rep: Reputation: 0
PAM authorization failure when using OpenSSH key certificates

The problem I am having is an authorization verification failure when using OpenSSH CA signed certificate key functionality from an internal Java application. I can get a successful connection using the the same user and key files through terminal windows on the two nodes.

The environment is as follows:
Box 1 (client running the Java app)
- Centos 5.5 X86
- OpenSSH 5.6p1
- username "admin"
- directory admin/.ssh has id_rsa and

Box 2 (server running sshd)
- Centos 5.2 i386
- OpenSSH 5.6p1
- username "admin"
- directory admin/.ssh has authorized_keys (CA public key)

I believe the problem is in my PAM authorization configuration since the connection works through terminal windows but not problematically. Plus the audit log indicates this:

Java request:
type=USER_AUTH msg=audit(1289336781.338:47866): user pid=28699 uid=0 auid=0 msg='PAM: authentication acct="admin" : exe="/usr/local/ssh/sbin/sshd" (hostname=, addr=, terminal=ssh res=failed)'

Terminal request:
type=USER_ACCT msg=audit(1289336807.950:47869): user pid=28787 uid=0 auid=0 msg='PAM: accounting acct="admin" : exe="/usr/local/ssh/sbin/sshd" (hostname=, addr=, terminal=ssh res=success)'

PAM configuration files:
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth required
account required
account sufficient uid < 500 quiet
account required
password requisite try_first_pass retry=3
password sufficient md5 shadow nullok try_first_pass use_authtok
password required
session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required

original /etc/pam.d/sshd I tried:
auth include system-auth
account required
account include system-auth
password include system-auth
session optional force revoke
session include system-auth
session required

sshd.pam from openssh5.6p1 I found and tried as /etc/pam.d/sshd:
auth required service=system-auth
account required
account required service=system-auth
password required service=system-auth
session required service=system-auth

Any insights into if I am looking in the right direction or other avenues try to solve this problem please let know.




Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenSSH and PAM julienr78 Linux - Security 4 10-02-2010 04:02 AM
PAM configuration: Kerberos authentication and NIS authorization problem geek.ksa Linux - Security 3 01-16-2010 07:46 AM
Authorization Failure When Doing Fetchmail grumpywhites Linux - Newbie 1 03-06-2008 01:32 AM
OpenSSH, authentication, PAM haertig Linux - Security 3 03-27-2006 01:40 PM
OpenSSH and PAM Authentication RyanP Linux - General 4 02-17-2001 12:08 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:54 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration