0

Password of a user was expired and it was reset after the expiration in freeipa web. The user gets channel 0: open failed: administratively prohibited: open failed stdio forwarding failed error and cannot get in to the host. I have tried to unlock the user from the web portal, I have flushed the cache for that user in sss_cache. Nothing has been changed apart from the password. I can't get around this error.

This is the secure log

Feb 26 09:15:36 xxxx-mng-bh-01 sshd[8665]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=a.b.c.d user=serverfault

Feb 26 09:15:36 xxxx-mng-bh-01 sshd[8665]: pam_sss(sshd:auth): received for user serverfault: 12 (Authentication token is no longer valid; new one required)

Feb 26 09:15:36 xxxx-mng-bh-01 sshd[8665]: Accepted password for serverfault from a.b.c.d port 63562 ssh2

Feb 26 09:15:37 xxxx-mng-bh-01 sshd[8665]: pam_unix(sshd:session): session opened for user serverfault by (uid=0)

Feb 26 09:15:37 xxxx-mng-bh-01 sshd[8665]: pam_unix(sshd:session): session closed for user serverfault

Riz
  • 103
  • 3

1 Answers1

0

This message (administratively prohibited) is issued by OpenSSH. There are two cases when it could get issued from the server side:

  • opening a port is not allowed in sshd_config configuration (PermitOpen option)
  • tcp forwarding is not allowed or disabled in sshd_config configuration (AllowTcpForwarding option, for example)

In any case, it is not related to FreeIPA and password expiration.

abbra
  • 1,085
  • 5
  • 8
  • I have checked the config file and `AllowTcpForwarding` is commented out while `PermitOpen` is not present at all. Why all other users can log on to the host except one(who has recently changed his password) and what effect will changing anything in config file have on other users? – Riz Mar 01 '20 at 12:52
  • The changes, if any, should apply uniformly. You need to show more log details (both client and server, both sshd and sssd debug logs) to be able to demonstrate it is a problem outside sshd/ssh client communication. See https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html for sssd troubleshooting. But the messages you gave in the question are surely pointing to sshd refusal of opening ports/forwarding channels. – abbra Mar 02 '20 at 07:38
  • You were right about the problem not being related to freeipa. I am not still not sure what the issue was. It was resolved by just changing the ssh client once. – Riz May 15 '20 at 07:04