SSH Logins failing for all users, even when using correct password
Solution 1
Off the top of my head, these are the 3 things that have caused me pain in joining CentOS to AD and using sssd with ssh:
Do you have
pam_sss.so
listed in the password portion of/etc/pam.d/password-auth
, or otherwise called in/etc/pam.d/sshd
? Sshd will use PAM to validate the password, and if PAM isn't configured to talk tosssd
, that will break the ability to usessh
with AD auth.Do you have an
/etc/security/access.conf
that maybe has a line like-:ALL:ALL
in it? You may need to explicitly allow users, with+:USERNAME:ALL
, or you can allow anyone who passes authentication with+:ALL:ALL
The access.conf man page has some good information on the formats of entries and the meanings of the fields in the file.
In your domain stanza in
/etc/sssd/sssd.conf
, do you have a line for auth, likeauth_provider = ad
?
Edit 2017-11-02 13:48
/etc/nsswitch.conf
is another file that can be problematic. You need to confirm that sss
is configured as lookup target for passwd, shadow, group, netgroup, automount, and services:
passwd: files sss
shadow: files sss
group: files sss
<snip>
services: files sss
netgroup: files sss
<snip>
aoutomount: files sss
Although the "Success .... Access Denied" makes me think it has something to do with access.conf. Like authentication is passing, but then being blocked else where. Or... OP said this is Red Hat. It could be missing HBAC rules. They're not mentioned anywhere in the SSSD documentation that I recall.
I don't have a RH server to check with, and the CentOS servers I have that are domain joined don't have the ipa
command.
Solution 2
A very similar scenario with a different root-cause:
Login with sssd (against LDAP) via console works. Login using the correct password with sssd via ssh fails. Gives about an 8 seconds delay until being denied.
My solution was to remove AllowGroups ssh-login
from /etc/ssh/sshd_config
. That option restricts which group of users can log into the server. As I have not been a member of that group, I was not allowed to connect. No idea how it got there. I get my servers pre-configured from the VM-peeps. Maybe it is a default of Debian 10. Maybe the IT-department put it there.
Related videos on Youtube
CTN
Updated on September 18, 2022Comments
-
CTN over 1 year
As per the image there is 20 toggle buttons.I want to change focus traversal on key press alphabetically.If i am press V from keyboard then it will select first occurrence(VVS1) if second time it will select second occurrence(VVS2).
-
Thomas N over 6 yearsFWIW, I've also been tripped up by time issues. KRB is pretty picky about the timing for issuing krb tickets... I think 15 seconds of difference between client and server is enough to fail.
-
Stephen Kitt over 6 yearsFrom the OP’s deleted answer... Local users, including root, can’t login using SSH either.
sssd.conf
matches another server’s workingsssd.conf
. Every line inaccess.conf
is commented out.password-auth
does havepam_sss.so
in the password section, which also matches another working server’s setup.