Armstrong, Jeffrey wrote:
Hi

I’m unable to login via ssh to an ipa client or server as the admin user
or a new user.  This a new installation of the ipa server and clients.

I’ve saved some of the error messages:

I created a test user (tuser).  I was able to su – tuser successfully.
I was not able to ssh to the master ipa server or any of the clients.

Below I have some information from the sssd log, the command ipa
hbactest, and the secure log.

If you need any other info please let me know.

Thanks

Jeff

sssd_<domainname>.log

**

sh tuser@pcs1dc01

Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Set
/proc/self/oom_score_adj to 0

Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Connection from
10.109.4.20 port 60969

Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30792]: Failed publickey for
tuser from 10.109.4.20 port 60969 ssh2

Password: Mar 16 12:39:53 pcs1dc01 authpriv.info sshd[30793]: Postponed
keyboard-interactive for tuser from 10.109.4.20 port 60969 ssh2

Mar 16 12:40:57 pcs1dc01 authpriv.notice sshd[30795]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=10.109.4.20  user=tuser

Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30795]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.109.4.20 user=tuser

Mar 16 12:40:57 pcs1dc01 authpriv.notice sshd[30795]:
pam_sss(sshd:account): Access denied for user tuser: 6 (Permission denied)

Mar 16 12:40:57 pcs1dc01 authpriv.err sshd[30792]: error: PAM: User
account has expired for tuser from 10.109.4.20

Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30792]: Failed
keyboard-interactive/pam for tuser from 10.109.4.20 port 60969 ssh2

Received disconnect from UNKNOWN: 2: Too many authentication failures
for tuser

Mar 16 12:40:57 pcs1dc01 authpriv.info sshd[30793]: Disconnecting: Too
many authentication failures for tuse

**

*Command:* ipa hbactest

User name: tuser

Target host: <server>

Service: ssh

---------------------

Access granted: False

---------------------

   Not matched rules: GUI_ACCESS

   Not matched rules: SSH_ACCESS

There is your answer right there. Add tuser to the appropriate rule.

And as of the last login attempt the user is logged out due to too many failed attempts. Lockout duration default is 5 minutes IIRC.

rob


*Secure log*

Mar 16 12:29:55  authpriv.notice sshd[30697]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
<ip-address> user=tuser

Mar 16 12:29:56  authpriv.info sshd[30697]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=<ip-address> user=tuser

Mar 16 12:29:56  authpriv.notice sshd[30697]: pam_sss(sshd:account):
Access denied for user tuser: 6 (Permission denied)

Mar 16 12:29:56  authpriv.err sshd[30694]: error: PAM: User account has
expired for tuser from 10.109.4.20

Mar 16 12:29:56  authpriv.info sshd[30694]: Failed
keyboard-interactive/pam for tuser from <ipaddress> port 60942 ssh2

Received disconnect from UNKNOWN: 2: Too many authentication failures
for tuser

Mar 16 12:29:56 authpriv.info sshd[30695]: Disconnecting: Too many
authentication failures for tuser




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to