Pls help: unable to login as normal user through ssh

Baps · 02-27-2009, 07:12 AM

Code of /etc/ssh/sshd_config

Quote:

#
$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

unSpawn · 02-27-2009, 07:21 AM

Actually the first thing I'd check is this:

Quote:

Originally Posted by Baps

i checked the log file /var/log/secure, its showing something like pam_unix authentication error.

and posting "I see an error" does not make sense when troubleshooting. Post the actual error message.

Baps · 02-27-2009, 07:28 AM

last 10 lines of /var/log/secure

Quote:

Feb 27 00:12:54 www sshd[8777]: pam_unix(sshd:session): session closed for user root
Feb 27 00:13:05 www sshd[9686]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=61.8.157.131 user=850fi
Feb 27 00:13:22 www sshd[9686]: Accepted password for 850fi from ::ffff:61.8.157.131 port 40384 ssh2
Feb 27 00:13:23 www sshd[9688]: pam_unix(sshd:session): session opened for user 850fi by 850fi(uid=502)
Feb 27 00:13:23 www sshd[9688]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
Feb 27 00:13:23 www sshd[9688]: pam_loginuid(sshd:session): set_loginuid failed
Feb 27 00:13:23 www sshd[9688]: fatal: PAM session setup failed[14]: Cannot make/remove an entry for the specified session
Feb 27 00:13:47 www sshd[9689]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=61.8.157.131 user=root
Feb 27 00:13:57 www sshd[9689]: Accepted password for root from ::ffff:61.8.157.131 port 40385 ssh2
Feb 27 00:13:57 www sshd[9689]: pam_unix(sshd:session): session opened for user root by (uid=0)

unSpawn · 02-27-2009, 07:47 AM

Quote:

Originally Posted by Baps

Code:

Feb 27 00:12:54 www sshd[8777]: pam_unix(sshd:session): session closed for user root
Feb 27 00:13:05 www sshd[9686]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=61.8.157.131 user=850fi
Feb 27 00:13:22 www sshd[9686]: Accepted password for 850fi from ::ffff:61.8.157.131 port 40384 ssh2
Feb 27 00:13:23 www sshd[9688]: pam_unix(sshd:session): session opened for user 850fi by 850fi(uid=502)
Feb 27 00:13:23 www sshd[9688]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
Feb 27 00:13:23 www sshd[9688]: pam_loginuid(sshd:session): set_loginuid failed 
Feb 27 00:13:23 www sshd[9688]: fatal: PAM session setup failed[14]: Cannot make/remove an entry for the specified session

First stop: 'man pam_loginuid'.

Baps · 02-27-2009, 07:53 AM

sorry not getting your point unSpawn

Baps · 02-27-2009, 08:28 AM

pls suggest,no response from anyone

unSpawn · 03-02-2009, 04:31 PM

sshd[9688]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
In your /etc/pam.d/ssh the "pam_loginuid" module shows a failure and eventually the whole PAM stack collapses on it meaning its a fatal error. Looking at the manual might show clues as to what this module does, if you need it and maybe why (or what) it fails (on). If that doesn't work 'rpm --verify' your /etc/pam.d/ssh PAM stack and package containing pam_loginuid to see if there's something missing or changed (configuration?). Also searching LQ, the Centos and Red Hat bug trackers might show people having experienced the same problem, possible workarounds and maybe even fixes.

dislodge112 · 03-16-2009, 06:30 PM

i had the same problem starting a few days ago, pretty much exactly the same...

yum update openssh fixed it for me though, not sure what actually caused the problem in the first place.

jschiwal · 03-16-2009, 06:52 PM

Code:

PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
...

#UsePAM no

I think you want "UsePAM yes" if your system has PAM installed.

Get regular use authentication working before disabling root logins. The fallback backup/restore option posted earlier may be a good idea as well. Also, log in twice. Keep the first terminal connection open. That way, after making changes; logging out and trying to log in again, you can use the first connection to reverse changes you made that locked you out.

Try logging in with "ssh -vv user@host". It may provide more details at the client what is going on.

You might want to post your appropriate PAM configurations. Start with "ssh" and check what others are included in the "ssh" file. Concentrate on SESSION entries. Also double check if some PAM messages are posted in /var/log/messages.

Which Linux or BSD distro does the server run? You might try downloading the package for openssh, and extracting the PAM config files that are installed by the openssh package. Are there any differences?

If this is a Fedora, or RHEL Server. Your mention of SELinux implies that it is. You can determine which package supplies a file with "rpm -qf /path/to/file"; verify a package with "rpm -qV packagename".

You can also download the openssh rpm package, and extract files inside with "mc" (a filemanager) or using "rpm2cpio" and then "cpio" or using "unrpm". The first option "mc" can be used on a non-rpm based system. Check the PAM config files that the package supplies. Also check the PAM files that are used to authenticate users.
Concentrate on differences. The installers may have added specialty PAM library, and then added an entry for it. Comparing the packages' PAM config files against what you have could pinpoint where a problem might be.

The http://rpm.pbone.net site is a good place to locate & download RPM packages for a particular distro. Use the Advanced option and select the particular Red Hat or Fedora distro you are using.