LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-10-2010, 06:52 PM   #1
bobsled
LQ Newbie
 
Registered: Oct 2010
Posts: 1

Rep: Reputation: 0
PAM authorization failure when using OpenSSH key certificates


The problem I am having is an authorization verification failure when using OpenSSH CA signed certificate key functionality from an internal Java application. I can get a successful connection using the the same user and key files through terminal windows on the two nodes.

The environment is as follows:
Box 1 (client running the Java app)
- Centos 5.5 X86
- OpenSSH 5.6p1
- username "admin"
- directory admin/.ssh has id_rsa and id_rsa-cert.pub

Box 2 (server running sshd)
- Centos 5.2 i386
- OpenSSH 5.6p1
- username "admin"
- directory admin/.ssh has authorized_keys (CA public key)

I believe the problem is in my PAM authorization configuration since the connection works through terminal windows but not problematically. Plus the audit log indicates this:

Java request:
type=USER_AUTH msg=audit(1289336781.338:47866): user pid=28699 uid=0 auid=0 msg='PAM: authentication acct="admin" : exe="/usr/local/ssh/sbin/sshd" (hostname=192.168.1.165, addr=192.168.1.165, terminal=ssh res=failed)'

Terminal request:
type=USER_ACCT msg=audit(1289336807.950:47869): user pid=28787 uid=0 auid=0 msg='PAM: accounting acct="admin" : exe="/usr/local/ssh/sbin/sshd" (hostname=192.168.1.165, addr=192.168.1.165, terminal=ssh res=success)'

PAM configuration files:
/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

original /etc/pam.d/sshd I tried:
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so

sshd.pam from openssh5.6p1 I found and tried as /etc/pam.d/sshd:
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

Any insights into if I am looking in the right direction or other avenues try to solve this problem please let know.

Thanks,

Bob
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenSSH and PAM julienr78 Linux - Security 4 10-02-2010 05:02 AM
PAM configuration: Kerberos authentication and NIS authorization problem geek.ksa Linux - Security 3 01-16-2010 08:46 AM
Authorization Failure When Doing Fetchmail grumpywhites Linux - Newbie 1 03-06-2008 02:32 AM
OpenSSH, authentication, PAM haertig Linux - Security 3 03-27-2006 02:40 PM
OpenSSH and PAM Authentication RyanP Linux - General 4 02-17-2001 01:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration