pam_unix(sshd:auth): authentication failure;

compused · 11-29-2017, 01:44 AM

Hi
can't get the *root password* accepted via 'ssh root@localhost' or via an ssh tunnel. But just running 'su root' in a putty session as a non-root user is successful. This is in a Centos7 minimal install. Would these be the relevant pam.d files?
ie /etc/pam.d/sshd:

Code:

auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

and /etc/pam.d/password-auth-ac

Code:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

This is the error message in /var/log/secure:

Code:

Nov 29 17:26:28 localhost sshd[19125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=root
Nov 29 17:26:28 localhost sshd[19125]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 29 17:26:30 localhost sshd[19125]: Failed password for root from 127.0.0.1 port 59246 ssh2
Nov 29 17:26:32 localhost sshd[19125]: Connection closed by 127.0.0.1 port 59246 [preauth]

Any ideas anyone?

scasey · 11-29-2017, 10:41 AM

root login via ssh is likely (and probably should be) disabled in /etc/ssh/sshd_config

Code:

PermitRootLogin no

compused · 11-30-2017, 05:12 PM

Have not got an answer re the pam config but have a workaround in terms of tunneling in via sftp.

Put the designated non-root user ('username' in the example below) into the sudoers file ie /etc/sudoers. You have to specify the location of the sftp-server binary. You edit /etc/sudoers via the visudo command line editor, as root:

Code:

username ALL=(ALL)	NOPASSWD: /usr/libexec/openssh/sftp-server

ie 'username' can run commands of any user (the first ALL) on any host (if there are more that one pc, on the network ie the second ALL) without a password but ONLY for sftp-server
(refer https://winscp.net/eng/docs/faq_su)

If using winscp as your sftp program, make the following changes
(refer https://forums.cpanel.net/threads/wi...ia-sudo.334882)
In WinSCP for the session of the particular user:
Environment -> SFTP [Protocol Options] - SFTP server:

Code:

/usr/bin/sudo -s /usr/libexec/openssh/sftp-server

Environment -> SCP/Shell [Shell] - Shell:

Code:

/usr/bin/sudo su