The problem I am having is an authorization verification failure when using OpenSSH CA signed certificate key functionality from an internal Java application. I can get a successful connection using the the same user and key files through terminal windows on the two nodes.

The environment is as follows:
Box 1 (client running the Java app)
- Centos 5.5 X86
- OpenSSH 5.6p1
- username "admin"
- directory admin/.ssh has id_rsa and id_rsa-cert.pub

Box 2 (server running sshd)
- Centos 5.2 i386
- OpenSSH 5.6p1
- username "admin"
- directory admin/.ssh has authorized_keys (CA public key)

I believe the problem is in my PAM authorization configuration since the connection works through terminal windows but not problematically. Plus the audit log indicates this:

Java request:
type=USER_AUTH msg=audit(1289336781.338:47866): user pid=28699 uid=0 auid=0 msg='PAM: authentication acct="admin" : exe="/usr/local/ssh/sbin/sshd" (hostname=192.168.1.165, addr=192.168.1.165, terminal=ssh res=failed)'

Terminal request:
type=USER_ACCT msg=audit(1289336807.950:47869): user pid=28787 uid=0 auid=0 msg='PAM: accounting acct="admin" : exe="/usr/local/ssh/sbin/sshd" (hostname=192.168.1.165, addr=192.168.1.165, terminal=ssh res=success)'

PAM configuration files:
/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

original /etc/pam.d/sshd I tried:
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so

sshd.pam from openssh5.6p1 I found and tried as /etc/pam.d/sshd:
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

Any insights into if I am looking in the right direction or other avenues try to solve this problem please let know.

Thanks,

Bob