It's authenticating locally only and it is happening on all the Redhat servers at this point. We have some SLES servers, but they're working fine, which leads me to believe there is something different between the distro's or kernel releases. One other thing I will mention is we've replaced supplied ssh with Tectia ssh server/client software.
I did turn on debug on the /etc/pam.d/system-auth file It appears to be failing on the public-key authentication and then falling through the password authentication and allows access. Based on the login prompts this seems to makes sense.. Login Prompts: PAM Authentication Password: Password Authentication: jspace's password: In the messages and secure logs there are errors. messages Apr 20 13:57:15 rh66cln-pk ssh-server-g3: 1002 Algorithm_negotiation_success, "kex_algorithm=diffie-hellman-group-exchange-sha256, hostkey_algorithm=ssh-rsa, cipher=aes128-cbc/aes128-cbc, mac=hmac-sha1/hmac-sha1, compression=none/none", Session-Id: 1 Apr 20 13:57:15 rh66cln-pk ssh-server-g3: 1003 KEX_success, Algorithm: diffie-hellman-group-exchange-sha256, Modulus: 2048 bits, Session-Id: 1, Protocol-session-Id: 37E91F9819846E8DB400EA8627283F7A6ADCE7B26A7EF2737623DD71FCEB0E55 Apr 20 13:57:15 rh66cln-pk ssh-server-g3: 801 Authentication_block_selected, Username: jspace, Policy name: authentication, Session-Id: 1, "file: /etc/ssh2/ssh-server-config.xml, line: 191" Apr 20 13:57:15 rh66cln-pk ssh-server-g3: 703 Auth_methods_available, Username: jspace, Auth methods: gssapi-with-mic,password,publickey,keyboard-interactive, Session-Id: 1 Apr 20 13:57:18 rh66cln-pk ssh-server-g3: 717 Keyboard_interactive_pam_auth_error, Username: jspace, Algorithm: pam, "pam_internal_op_error() failed: Permission denied(6) / pam_acct_mgmt() failed.", Session-Id: 1 Apr 20 13:57:58 rh66cln-pk ssh-server-g3: 722 Keyboard_interactive_password_auth_success, Username: jspace, Algorithm: password, "Keyboard-interactive Password authentication successful", Session-Id: 1 Apr 20 13:58:00 rh66cln-pk ssh-server-g3: 700 Auth_method_success, Username: jspace, Auth method: keyboard-interactive, Session-Id: 1 Apr 20 13:58:00 rh66cln-pk ssh-server-g3: 802 Authentication_block_allow, Username: jspace, Policy name: authentication, Session-Id: 1, "file: /etc/ssh2/ssh-server-config.xml, line: 191" secure Apr 20 13:57:15 rh66cln-pk ssh-pam-proxy: pam_succeed_if(ssh-server-g3:auth): 'user' resolves to 'jspace' Apr 20 13:57:15 rh66cln-pk ssh-pam-proxy: pam_succeed_if(ssh-server-g3:auth): 'uid' resolves to '1100' Apr 20 13:57:15 rh66cln-pk ssh-pam-proxy: pam_succeed_if(ssh-server-g3:auth): 'uid' resolves to '1100' Apr 20 13:57:18 rh66cln-pk ssh-pam-proxy: pam_access(ssh-server-g3:account): access denied for user `jspace' from [removed]' . . . pr 20 13:57:18 rh66cln-pk ssh-pam-proxy: pam_localuser(ssh-server-g3:account): checking "jspace:x:1100:1100:jspace:/home/jspace:/bin/bash#012" Apr 20 13:57:18 rh66cln-pk ssh-pam-proxy: pam_succeed_if(ssh-server-g3:account): 'uid' resolves to '1100' Apr 20 13:57:18 rh66cln-pk ssh-pam-proxy: pam_succeed_if(ssh-server-g3:session): 'service' resolves to 'ssh-server-g3' Apr 20 13:57:18 rh66cln-pk ssh-pam-proxy: pam_unix(ssh-server-g3:session): session closed for user jspace From: de Schepper Robbert <robbert.de.schep...@volvo.com> To: LINUX-390@VM.MARIST.EDU, Date: 04/20/2015 07:33 AM Subject: Re: PAM Prompting For Password Twice Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> Hello, Do you auth against an LDAP? Or is it local only? Is it only this server, or do others servers have it as well? You can also try adding debug in the pam config. That gives more output. BR/ Robbert _________________________________________________ Robbert de Schepper -----Original Message----- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Jason Space Sent: maandag 20 april 2015 12:57 To: LINUX-390@VM.MARIST.EDU Subject: PAM Prompting For Password Twice All, Distro: RHEL 6.6 (s390x) I'm having trouble tracking down why PAM is asking for a password twice before allowing access. Best I can determine from reading is the pam_unix.so module being called twice. To be honest, I know next to nothing about PAM...... Below is the contents of the system-auth file. Any help would be appreciated. auth required pam_env.so auth [default=ignore success=1] pam_succeed_if.so quiet user ingroup nolockout auth requisite pam_tally2.so deny=3 onerr=fail auth [default=ignore success=1] pam_succeed_if.so quiet uid = 0 auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_tally2.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 lcredit=-1 ocredit=-1 ucredit=-1 minlen=14 difok=4 password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_lastlog.so showfailed session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so Thx, Jason Space ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
