Join Log in
Score:0
avatar Server

SSH access denied for one user

in flag
Jean Coiron

I encounter an error while trying to connect via SSH to a server, for one user. This user's home directory is in /opt, with a .ssh directory (permissions: 700) and an authorized_keys file containing the public key. It works with other users, whom home directories are in /home, using the same rsa key I can connect as another user. In /var/log/secure I get :

Apr  8 14:48:22 myserver sshd[338949]: pam_sss(sshd:account): Access denied for user myuser: 6 (Permission denied)
Apr  8 14:48:22 myserver sshd[338949]: fatal: Access denied for user myuser by PAM account configuration [preauth]

Using ssh -vvv the last lines are :

debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: sign_and_send_pubkey: RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: send packet: type 50
Authentication failed.

If I connect to this server as another user using the same key it works, the only difference I see is that the home directory is in /opt instead of /home. And this user has an underscore in its login name. Have you encounter this kind of situation ?

[EDIT] Additional information :

SELinux is disabled

[root@myserver ~]# getenforce
Disabled

[myuser@myserver ~]$ ls -la /opt/myuser/
drwx------ 2 myuser myuser    80 Apr  8 14:46 .ssh

[myuser@myserver ~]# ls -l /opt/myuser/.ssh/authorized_keys
-rw------- 1 myuser myuser  1131 Apr  8 14:46 /opt/myuser/.ssh/authorized_keys

[root@myserver ~]# namei -l /opt/myuser/.ssh/authorized_keys
f: /opt/myuser/.ssh/authorized_keys
dr-xr-xr-x root         root         /
drwxr-xr-x root         root         opt
drwx------ myuser       myuser       myuser
drwx------ myuser       myuser       .ssh
-rw------- myuser       myuser       authorized_keys

[root@myserver ~]# grep -v ^# /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV

PermitRootLogin no

AuthorizedKeysFile      .ssh/authorized_keys

PasswordAuthentication yes

ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem       sftp    /usr/libexec/openssh/sftp-server

[root@myserver ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

LDAP authentication is also enabled, via sssd.

114
0 + 0
ssh
rsa
in flag
Gerald Schneider
is selinux involved?
1
Reply
in flag
Jean Coiron
@GeraldSchneider no, SELinux is disabled
0
Reply
in flag
Gerald Schneider
Well, then you need to provide some more information. SSHd configuration, PAM configuration, more from your log files (increase log level if necessary). Actual permissions could also be helpful (`namei -l` is ideal for this).
2
Reply
in flag
Jean Coiron
@GeraldSchneider thank you, I added additional information in the post
0
Reply
in flag
Gerald Schneider
You missed the `-l` parameter for `namei`, which shows the actual relevant information.
0
Reply
in flag
Jean Coiron
@GeraldSchneider ho, right, I edited it. Nice command by the way, I did not know it.
0
Reply
us flag
Rob
To me the `Access denied by PAM account configuration` error message suggests that the problem is not ssh or the permissions on the keys file, but with the account properties (an incorrect shell, a group that isn't allowed to log on, an user explicitly denied access) - check account properties and maybe see if there are matches in `/etc/security`
0
Reply
Score:2
Tewfik Ghariani avatar Server
cn flag
Tewfik Ghariani

Given that the LDAP authentication is enabled and the access is denied for that particular user, that means that the user has not been granted access in LDAP to that server

You can check the /etc/sssd/sssd.conf for allowed_users and allowed_groups and then either add the username as an entry of the 'allowed_users' or in the LDAP group mentioned in the 'allowed_groups'

0 + 0
in flag
Jean Coiron
indeed, thank you Tewfik. I made a typo when adding the user to the ldap group allowed to connect. I thought it was in the group but the DN was incorrect. Now it works, thanks :)
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.