Running CentOS 6.5 sssd 1.9.2 in a test environment and trying to
authenticate user: jsmith to ssh to server
ldap-01.pcoral.net
running openldap on
ldap-01.pcoral.net and authenticating to it.
[root@ldap-01 pam.d]# id -a jsmith
uid=1002(jsmith) gid=601(allowedusers) groups=601(allowedusers)
[root@ldap-01 pam.d]# getent group allowedusers
allowedusers:*:601:will,jsmith,1001
[root@ldap-01 pam.d]# getent passwd jsmith
jsmith:*:1002:601:john smith:/home/users/jsmith:/bin/sh
And trying the following:
[root@ldap-01 pam.d]# ssh -vvv jsmith(a)ldap-01.pcoral.net
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to
ldap-01.pcoral.net [54.215.234.166] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc(a)lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc(a)lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160(a)openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160(a)openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib(a)openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib(a)openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc(a)lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc(a)lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160(a)openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160(a)openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib(a)openssh.com
debug2: kex_parse_kexinit: none,zlib(a)openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host 'ldap-01.pcoral.net' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug2: bits set: 517/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1109
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
jsmith(a)ldap-01.pcoral.net's password:
debug3: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 1253
Connection closed by 54.215.234.166
The phrase: 'Connection closed....' appears right away. I can connect
as root uing ssh and ldapsearch returns the correct information for the
sudoers role and allowedusers group.
Below you can see I can sudo as the user, but up above cannot ssh as the
user.
[root@ldap-01 ~]# sudo su qwerty
su: user qwerty does not exist
[root@ldap-01 ~]# sudo su jsmith
Creating directory '/home/users/jsmith'.
sh-4.1$ whoami
jsmith
sh-4.1$ exit
exit
[root@ldap-01 ~]# cd /home/users
[root@ldap-01 users]# ls -l
total 8
drwxr-xr-x. 2 jsmith allowedusers 4096 Jul 10 09:10 jsmith
drwxr-xr-x. 2 will allowedusers 4096 May 1 18:32 will
[root@ldap-01 users]# sudo su jsmith
sh-4.1$
Essentially, getting in log file: debug.log
Jul 10 15:35:12 ldap-01 sshd[11567]: pam_sss(sshd:account): Access
denied for user jsmith: 6 (Permission denied)
Jul 10 15:35:12 ldap-01 sshd[11567]: Failed password for jsmith from
54.215.234.166 port 56712 ssh2
Jul 10 15:35:12 ldap-01 sshd[11568]: fatal: Access denied for user
jsmith by PAM account configuration
/etc/sssd/sssd.conf
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=pcoral,dc=net
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri =
ldaps://ldap-02.pcoral.net
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = default, LDAP
[nss]
filter_users = root
filter_groups = root
[pam]
[sudo]
[domain/LDAP]
access_provider = ldap
auth_provider = ldap
chpass_provider = ldap
id_provider = ldap
sudo_provider = ldap
#debug_level = 0xFFF0
debug_level = 9
cache_credentials = true
enumerate = true
# Note: I've tried both ways - no difference
#ldap_access_filter =
memberOf=cn=allowedusers,ou=Groups,dc=pcoral,dc=net
ldap_access_filter = cn=allowedusers,ou=Groups,dc=pcoral,dc=net
ldap_search_base = dc=pcoral,dc=net
ldap_sudo_search_base = ou=sudoers,dc=pcoral,dc=net
ldap_tls_cacert = /etc/pki/CA/certs/ca_cert.pem
ldap_tls_reqcert = allow
ldap_uri =
ldaps://ldap-02.pcoral.net
Next, /etc/pam.d/password-auth file(this is same for system-auth):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_debug.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/pam.d/sshd file:
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
and one more /etc/ssh/sshd_config:
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin without-password
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding no
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
Any help is very greatly appreciated!!!
Thanks,
Sterling