4

I need to allow domain users (userid and password) access to a Centos 7 server, as well as local users (SSH key/passwordless). I have configured sshd_config with both AllowUsers and AllowGroups and assumed that if I added the local user to those it should work. However, I'm getting an error when local users try and login:

sshd[23906]: pam_sss(sshd:account): Access denied for user datahub_push: 10 (User not known to the underlying authentication module)
sshd[23906]: fatal: Access denied for user datahub_push by PAM account configuration [preauth]

The domain users work just fine and have an entry under AllowGroups in sshd_config. After some googling there is a suggestion that I need to modify:

/etc/pam.d/sshd

...but I'm not sure of what to change and whether editing that file is best practice? i.e. should I use the authconfig tool instead.

Any help hugely appreciated.

machinist
  • 71
  • 1
  • 1
  • 6

2 Answers2

3

I fixed it myself! I added the following line to

/etc/pam.d/sshd

account    sufficient   pam_localuser.so

After a restart to sshd I am now able to login as a domain user and a local user. Here's the full, working file:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    sufficient   pam_localuser.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

Hope this helps someone else :)

machinist
  • 71
  • 1
  • 1
  • 6
  • It doesn't work for me (Centos7). Even though smb.conf uses `security = ads` and I can see that I'm joined to AD, I can't log in with any domain account. However, with your change I *can* log in via SSH with the local account. Without your fix, I couldn't log in via SSH with either. – bgmCoder Mar 18 '19 at 01:54
  • Check you `/etc/nsswitch.conf` file. The _passwd:_ line should contain _files_ and _ldap_. Ex: `passwd: files nis ldap` – Scottie H Mar 19 '19 at 14:19
0

It does not work even nsswitch.conf is correct. We are using winbind and krb5 for passwd authentication. The windbind is working but the local user authentication is not working, getting Access Denied.

AF-2K
  • 1