pam_unix(sshd:auth): authentication failure because of encrypted password from PAM stack

To configure sssd to connect AD server. I set id_provider to ldap

As AD server cannot accept TLS, so I closed it by:

1. ldap_id_use_start_tls = false
2. set ssl off in ldap.conf

When I use login ftp via domain account, it works. But it failed for ssh.

I compared the TCPdump between ftp and ssh. I found the password are different in bindrequest between ftp and ssh. It seems ssh encrypted the password, so that pam_sss got the wrong password from PAM stack.

Encrypted Password as below: simple: \b\n\r\177INCO

If it's possible to change it to plaintext password for ssh?

What you're seeing here isn't an encrypted password, it's from sshd, specifically:

const char junk[] = "\b\n\r\177INCORRECT";

Before sshd tries to authenticate with PAM, it calls getpwnam() to check if the user is valid. If not, it'll replace the entered password with a portion of the junk string, then validate the user/junk password with PAM.

What (I'm fairly certain) ended up being my problem was nscd. When I stopped that service, getpwnam worked, and the correct password was sent to the LDAP backend. I had nscd already installed, and without a restart, it was not checking LDAP for user queries. An easy way to test getpwnam calls from the command line would be to run id username or getent passwd username. But be careful, running getent passwd and looking for an expected username will work, even when the user-specific commands don't.