authentication failure using SSH pam_unix(sshd:auth): authentication failure;

on 
2011-10-24T11:22:22.125623+07:00 fazries.com sshd[8909]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=sshK ruser= rhost=10.10.10.115  user=fazries
2011-10-24T11:22:22.151540+07:00 fazries.com sshd[8909]: Accepted password for fazries from 10.62.41.115 port 49633 ssh2
2011-10-24T11:22:22.263304+07:00 fazries.com sshd[8909]: pam_unix(sshd:session): session opened for user fazries by (uid=0)
when I try connect to another server using ssh, I found an error on /var/log/secure "pam_unix(sshd:auth): authentication failure; "
okay, we know the problem is on the pam module, so we should look at sshd module on pam directory at /etc/pam.d/

at /etc/pam.d/sshd 
auth       include      system-auth

account    required     pam_nologin.so
account    include      system-auth

password   include     system-auth

session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so require_auditd
here we can see the authentication included system-auth "auth include system-auth". okay next we should take a look on /etc/pam.d/system-auth on pam system-auth look at auth section, at my system-auth module, the system will check local system (pam_unix) at the first time then check the ldap database (pam_ldap).

Alhamdulillah that issue because sshd:auth want to connect to remote server and cannot find the user at local system (pam_unix), that's why appears message authentication failure,

because my user at ldap database after cannot find the user on local system then sshd:auth try to find it at ldap database (pam_ldap), and found it.

"Accepted password for fazries from 10.10.10.115 port 49633 ssh2"

at /etc/pam.d/system-auth 
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
this is the way out.... :-)

replace try_first_pass to pam.ldap.so and use_first_pass to pam_unix.so that will make ssh search user from ldap database first,if not found then ssh will search at local system. 
auth        required      pam_env.so
auth        sufficient    pam_ldap.so try_first_pass
auth        sufficient    pam_unix.so nullok use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

that will make the error message "sshd[8909]: pam_unix(sshd:auth): authentication failure;" gone. 
2011-10-27T13:33:16.738779+07:00 fazries.com sshd[16689]: Accepted password for fazries from 10.62.41.115 port 41924 ssh2
2011-10-27T13:33:16.895793+07:00 fazries.com sshd[16689]: pam_unix(sshd:session): session opened for user fazries by (uid=0)

Comments

  1. AnonymousApril 9, 2012 at 4:09 AM

    nice job...!!! we should be donate to fazrie.!!

    ReplyDelete
  2. AnonymousMay 20, 2012 at 5:30 PM

    Thanks..!! very useful...! :D

    ReplyDelete
  3. AnonymousJuly 4, 2012 at 1:15 PM

    Last messages:
    2012-07-04 11:25:44 -0400 security/authorization wkpauthdbs02 1 mcidb8 sshd[2011]: pam_unix(sshd:auth): check pass; user unknown {"score"=>nil}


    Anybody can send me the cause of this error. Please thanks in Advanc

    ReplyDelete
  4. AnonymousDecember 13, 2012 at 8:49 AM

    THANK YOU for documenting this! This was the cause of our mystery cluster login lockup after a mystery ROCKS re-imaging wiped out our login node. It provided the ~5 bytes that hosed a resource for ~500 increasingly agitated users :). This spared us the tar and feathers! Thanks again!
    hjm

    ReplyDelete
  5. UnknownMay 1, 2013 at 12:06 PM

    Hey, thank you so much for this. Though I was using pam_sss.so than pam_ldap.so. But they have same concept so managed to solve the issue following your instructions. Keep it up!

    ReplyDelete
  6. KevinAugust 20, 2013 at 3:46 AM

    Thanks ...its very useful

    ReplyDelete
  7. UnknownSeptember 24, 2013 at 5:32 AM

    If you set pam_ldap.so before pam_unix.so in system-auth can you still login with a local account (i.e. - root) if the LDAP server is down, not responding, or slow to respond? In the past I have had issues where a console login would timeout waiting for the LDAP server to respond (getting a login timeout after 60 seconds). Can anyone confirm one way or the other if setting system-auth like specified about may have a login timeout problem? This typically will come up in emergency situations (power outages for example) where network equipment or the ldap server gets shutdown and other servers are still up. Sometimes it is required to login to the physical server on the console with a local account.

    thanks!

    ReplyDelete
  8. AnonymousFebruary 23, 2014 at 12:03 PM

    well done man ! another friend helped .. :) thanks.

    ReplyDelete
  9. UnknownMarch 12, 2014 at 4:41 AM

    thanks this help me locate the error, with one of the company red hat servers!

    ReplyDelete
  10. Matt YakelDecember 30, 2014 at 3:04 PM

    Worked great for me running CentOS 6.6 minimal install Thanks!!!

    ReplyDelete
  11. AnonymousSeptember 6, 2016 at 9:54 PM

    Thanks for the help. Slightly different issue, but used your line of thought to solve it.

    ReplyDelete
  12. NirajMay 8, 2017 at 2:59 AM

    A nice article, Have similar issue on my Linux system. Got the idea how to take next step forward... Excellent....

    ReplyDelete

Post a Comment