Wednesday, October 16, 2013

sshd / PAM problem

www.unixbabuforum.inWe have a setup with a number of different Unix systems all running sshd and users having dsa key-pairs setup in a common home area that is mounted in all systems using nfs. The user database is LDAP based. This is working fine for all of our systems except our HP/UX Itanium system running 11.23. Here although users can login using ssh with password authentication the key-pair password less logins are failing. 
A section of sshd -d of such an exchange is as follows: 
debug1: userauth-request for user markw service ssh-connection method publickey 
debug1: attempt 1 failures 1 
debug2: input_userauth_request: try method publickey 
debug1: test whether pkalg/pkblob are acceptable 
debug1: temporarily_use_uid: 1024/1024 (e=0) 
debug1: trying public key file /u/markw/.ssh/authorized_keys 
debug3: secure_filename: checking '/u/markw/.ssh' 
debug3: secure_filename: checking '/u/markw' 
debug3: secure_filename: terminating check at '/u/markw' 
debug1: matching key found: file /u/markw/.ssh/authorized_keys, line 7 
Found matching DSA key: 58:00:46:b2:e9:7f:72:f3:df:b9:ae:34:05:6b:29:1a 
debug1: restore_uid 
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss 
Postponed publickey for markw from 10.41.250.54 port 64687 ssh2 
debug1: userauth-request for user markw service ssh-connection method publickey 
debug1: attempt 2 failures 1 
debug2: input_userauth_request: try method publickey 
debug1: temporarily_use_uid: 1024/1024 (e=0) 
debug1: trying public key file /u/markw/.ssh/authorized_keys 
debug3: secure_filename: checking '/u/markw/.ssh' 
debug3: secure_filename: checking '/u/markw' 
debug3: secure_filename: terminating check at '/u/markw' 
debug1: matching key found: file /u/markw/.ssh/authorized_keys, line 7 
Found matching DSA key: <key removed> 
debug1: restore_uid 
debug1: ssh_dss_verify: signature correct 
debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss 
PAM rejected by account configuration[13]: No account present for user 
Failed publickey for markw from 10.41.250.54 port 64687 ssh2 
debug1: userauth-request for user markw service ssh-connection method keyboard-interactive 
debug1: attempt 3 failures 2 
debug2: input_userauth_request: try method keyboard-interactive 
It seems to me that the key-pair login checks pass but PAM is rejecting the user. sshd then falls back to trying password login and this is accepted and PAM doesn't reject the username. 
Am a bit stuck as to figuring out what's going on here... 

www.unixbabuforum.inI have experienced similar issues in the past and these are the things you need to check on the destination server. 
1) make sure that /u/markw has a protection of 755 
2) make sure /u/markw/.ssh is 700 
3) make sure that /u/maw/.ssh/authorized_keys is 600 
4) execute /sbin/init.d/secsh 

stop 
5) execute /sbin/init.d/secsh start 
6) make sure that a user account "marku" exists on the destination server. 
7) make sure that the file /u/markw/.ssh/authorized_keys contains an line that ends with the string "marku@DestinationServerName" 
SSH is very fussy about file protections. If the above items do not work then you will need to check the files /opt/ssh/etc/sshd_config and /opt/ssh/etc/ssh_config. You might have a SSH parameter which is incorrectly set. 
You might also want to the contents of /var/adm/syslog/syslog.log for a more detailed description of you error message during the time of the ssh event. 

www.unixbabuforum.inThe problem appears to be more to do with PAM/LDAP than sshd itself, 

at least that's my take on it. 
We have many systems (Linux, Solaris, AIX, Mac OSX, IRIX, FreeBSD) all 

with the same nfs volume mounted in the same location so they all use 

the same .ssh directories for user ssh connection validation. All are 

working fine except this one system including a HP/UX system running B. 
11.11 on PA-RISC hardware. 
The system log shows: 
May 15 06:07:50 rx1600 sshd[15541]: PAM rejected by account 

configuration[13]: No account present for user 
May 15 06:07:56 rx1600 sshd[15541]: Accepted password for markw from 

10.41.1.31 port 53204 ssh2 
PAM rejects the account after sshd has validated the key pair. 
It then accepts the account when password login takes place 
There are no local accounts as we have a central LDAP user database. 

This is working fine for ssh for all other systems including our 

second HP/UX machine

0 comments:

Post a Comment

 
Design by BABU | Dedicated to grandfather | welcome to BABU-UNIX-FORUM