0

I encounter an error while trying to connect via SSH to a server, for one user. This user's home directory is in /opt, with a .ssh directory (permissions: 700) and an authorized_keys file containing the public key. It works with other users, whom home directories are in /home, using the same rsa key I can connect as another user. In /var/log/secure I get :

Apr  8 14:48:22 myserver sshd[338949]: pam_sss(sshd:account): Access denied for user myuser: 6 (Permission denied)
Apr  8 14:48:22 myserver sshd[338949]: fatal: Access denied for user myuser by PAM account configuration [preauth]

Using ssh -vvv the last lines are :

debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: sign_and_send_pubkey: RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: send packet: type 50
Authentication failed.

If I connect to this server as another user using the same key it works, the only difference I see is that the home directory is in /opt instead of /home. And this user has an underscore in its login name. Have you encounter this kind of situation ?

[EDIT] Additional information :

SELinux is disabled

[root@myserver ~]# getenforce
Disabled

[myuser@myserver ~]$ ls -la /opt/myuser/
drwx------ 2 myuser myuser    80 Apr  8 14:46 .ssh

[myuser@myserver ~]# ls -l /opt/myuser/.ssh/authorized_keys
-rw------- 1 myuser myuser  1131 Apr  8 14:46 /opt/myuser/.ssh/authorized_keys

[root@myserver ~]# namei -l /opt/myuser/.ssh/authorized_keys
f: /opt/myuser/.ssh/authorized_keys
dr-xr-xr-x root         root         /
drwxr-xr-x root         root         opt
drwx------ myuser       myuser       myuser
drwx------ myuser       myuser       .ssh
-rw------- myuser       myuser       authorized_keys

[root@myserver ~]# grep -v ^# /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV

PermitRootLogin no

AuthorizedKeysFile      .ssh/authorized_keys

PasswordAuthentication yes

ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem       sftp    /usr/libexec/openssh/sftp-server

[root@myserver ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

LDAP authentication is also enabled, via sssd.

Jean Coiron
  • 113
  • 1
  • 6
  • 1
    is selinux involved? – Gerald Schneider Apr 08 '22 at 13:02
  • @GeraldSchneider no, SELinux is disabled – Jean Coiron Apr 08 '22 at 13:41
  • 2
    Well, then you need to provide some more information. SSHd configuration, PAM configuration, more from your log files (increase log level if necessary). Actual permissions could also be helpful (`namei -l` is ideal for this). – Gerald Schneider Apr 08 '22 at 13:44
  • @GeraldSchneider thank you, I added additional information in the post – Jean Coiron Apr 08 '22 at 14:07
  • You missed the `-l` parameter for `namei`, which shows the actual relevant information. – Gerald Schneider Apr 08 '22 at 14:08
  • @GeraldSchneider ho, right, I edited it. Nice command by the way, I did not know it. – Jean Coiron Apr 08 '22 at 14:14
  • To me the `Access denied by PAM account configuration` error message suggests that the problem is not ssh or the permissions on the keys file, but with the account properties (an incorrect shell, a group that isn't allowed to log on, an user explicitly denied access) - check account properties and maybe see if there are matches in `/etc/security` – Rob Apr 08 '22 at 14:21

1 Answers1

2

Given that the LDAP authentication is enabled and the access is denied for that particular user, that means that the user has not been granted access in LDAP to that server

You can check the /etc/sssd/sssd.conf for allowed_users and allowed_groups and then either add the username as an entry of the 'allowed_users' or in the LDAP group mentioned in the 'allowed_groups'

Tewfik Ghariani
  • 86
  • 5
  • 1
    indeed, thank you Tewfik. I made a typo when adding the user to the ldap group allowed to connect. I thought it was in the group but the DN was incorrect. Now it works, thanks :) – Jean Coiron Apr 14 '22 at 15:57