Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Stephen Smoogen (smoogen_at_lanl.gov)
Date: Mon Feb 24 2003 - 12:53:28 CST
The main issues I have found with not being able to log in via SSH are
due to 1 of 2 problems. Passwords/accounts are via a kdc and the
/etc/pam.d/sshd does not look up in the correct place. Versions of
Openssh before 3.5p1 use pam_unix.so or pam_pwbd.so
Try the following from openssh-3.5p1
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
The second problem we have found has been due to some extra data that
authconfig puts into system-auth. For our KDC environment it causes
accounts NOT to be able to log in. The offending line is
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_krb5.so
Changing this to
account sufficient /lib/security/pam_krb5.so
allowed ssh to log in, (plus cleared up some other issues with console
If both of these suggestions are wrong, try the following. Run sshd on a
high port with increasing number of -d flags and try to narrow down
what is killing the authentication.
sshd -p 9999 -d
is what I did to figure out things over time. After that it was adding
debug flags to pam.d files.
Hope this helps
On Mon, 2003-02-24 at 11:23, John Oliver wrote:
> On Mon, Feb 24, 2003 at 11:40:50AM -0500, TRUCKS, JESSE (SBCSI) wrote:
> > You didn't post what problem you are having.
> Well, I can't log on with SSH... :-)
> > Have you checked your pam configuration?
> I know *nothing* about PAM. I've "checked the config" by comparing to
> examples I find on the Internet.
> > Do you have any logged debug/message output?
> > Is SSH compiled to use PAM?
> Dunno. Does OpenSSH that comes with Red Hat come compiled with PAM? I
> didn't realize that it might not be... I thought all authentication with
> Red Hat was handled through PAM.
> John Oliver, CCNA http://www.john-oliver.net/
> Linux/UNIX/network consulting http://www.john-oliver.net/resume/
> *** sendmail, Apache, ftp, DNS, spam filtering ***
> **** Colocation, T1s, web/email/ftp hosting ****
> Pam-list mailing list
-- Stephen John Smoogen smoogenlanl.gov Los Alamos National Labrador CCN-2 B-Schedule PH: Ta-03 SM-261 MailStop P208 DP 17U Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka --
_______________________________________________ Pam-list mailing list Pam-listredhat.com https://listman.redhat.com/mailman/listinfo/pam-list