Re: [SSSD] ssh not working for sssd/pam configuration

Fri, 11 Jul 2014 08:08:25 -0700 

Thanks Lukas for the reply.
I've tested setting up a local account on the server to ssh to and was able to - not a problem. I tried a non sudo account in LDAP to ssh and that received - 'permission denied'. Tried a sudo account in LDAP and that receives a 'connection closed' message - as mentioned before. 


I've changed the debug_level to 7 as mentioned, but have since posting 
this message my logs are cluttered with people trying to hack.


NOTE:  TO THOSE POSTING INFO HERE..


Since this is the ONLY location I've posted information to, I've since 
seen activity in my log files from Vietnam, Spain, Montreal and other 
locations.
Those interested in trying to hack more, these are strictly test servers 
with test accounts and nothing on them and connected to nothing.



------ Original Message ------
From: "Lukas Slebodnik" <lsleb...@redhat.com>

To: "Sterling Sahaydak" <sterling.sahay...@pi-coral.com>; "Development 
of the System Security Services Daemon" 
<sssd-devel@lists.fedorahosted.org>

Sent: 7/10/2014 6:00:59 PM
Subject: Re: [SSSD] ssh not working for sssd/pam configuration


On (10/07/14 20:31), Sterling Sahaydak wrote:

Running CentOS 6.5 sssd 1.9.2 in a test environment and trying to
authenticate user: jsmith to ssh to server ldap-01.pcoral.net
running openldap on ldap-01.pcoral.net and authenticating to it.


[root@ldap-01 pam.d]# id -a jsmith
uid=1002(jsmith) gid=601(allowedusers) groups=601(allowedusers)
[root@ldap-01 pam.d]# getent group allowedusers
allowedusers:*:601:will,jsmith,1001
[root@ldap-01 pam.d]# getent passwd jsmith
jsmith:*:1002:601:john smith:/home/users/jsmith:/bin/sh

And trying the following:

[root@ldap-01 pam.d]# ssh -vvv jsm...@ldap-01.pcoral.net
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to ldap-01.pcoral.net [54.215.234.166] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version 
OpenSSH_5.3

debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2

debug1: Host 'ldap-01.pcoral.net' is known and matches the RSA host 
key.

debug1: Found key in /root/.ssh/known_hosts:2
debug2: bits set: 517/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1109
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
jsm...@ldap-01.pcoral.net's password:
debug3: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 1253
Connection closed by 54.215.234.166

The phrase: 'Connection closed....' appears right away. I can connect 
as
root uing ssh and ldapsearch returns the correct information for the 
sudoers

role and allowedusers group.

Below you can see I can sudo as the user, but up above cannot ssh as 
the

user.

[root@ldap-01 ~]# sudo su qwerty
su: user qwerty does not exist
[root@ldap-01 ~]# sudo su jsmith
Creating directory '/home/users/jsmith'.
sh-4.1$ whoami
jsmith
sh-4.1$ exit
exit
[root@ldap-01 ~]# cd /home/users
[root@ldap-01 users]# ls -l
total 8
drwxr-xr-x. 2 jsmith allowedusers 4096 Jul 10 09:10 jsmith
drwxr-xr-x. 2 will allowedusers 4096 May 1 18:32 will

[root@ldap-01 users]# sudo su jsmith
sh-4.1$

Root can swith to any user an pam_sss will not be involved in process.
You should test from normal user without sudo





Essentially, getting in log file: debug.log


Jul 10 15:35:12 ldap-01 sshd[11567]: pam_sss(sshd:account): Access 
denied for

user jsmith: 6 (Permission denied)
Jul 10 15:35:12 ldap-01 sshd[11567]: Failed password for jsmith from
54.215.234.166 port 56712 ssh2

Jul 10 15:35:12 ldap-01 sshd[11568]: fatal: Access denied for user 
jsmith by

PAM account configuration


This part of log file is clean. Access was denied for user jsmith by 
pam_sss


You should increase verbosity of debugging in sssd.

    * put debug_level = 7 into pam an domain section 
(/etc/sssd/sssd.conf)

    * restart sssd
    * try to connect with ssh
    * analyse log files from /var/log/sssd/

LS


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel






















					Reply via email to