SSH (PAM) Authentication for Domain User

General support questions
Post Reply
maksaraswat
Posts: 44
Joined: 2011/10/14 19:00:52
Location: New York
Contact:

SSH (PAM) Authentication for Domain User

Post by maksaraswat » 2012/02/28 22:01:48

Hi,

I have a CentOS configured with Samba and Winbind for file shares which works fine. In order for domain user to login to the linux box I did configure /etc/pam.d/sshd file. However every time I try to login with domain user it connects and shows the standard message "Last login: ..." and then disconnects by displaying message "Connection to the SERVER-NAME is closed."

Also, it did ask to manually create the /home/DOMAIN/ directory else it gives this message

"Last login: Tue Feb 28 16:30:45 2012 from x.x.x.x
Could not chdir to home directory /home/DOMAIN/USER: No such file or directory
Connection to SERVER closed."

The /etc/pam.d/sshd looks like this:

auth sufficient pam_winbind.so
auth required pam_nologin.so
auth include system-auth
account sufficient pam_winbind.so
account include system-auth
session include system-auth
password include system-auth

Following is the message at /var/log/secure (disregarding the break-in attempt part)

Feb 28 16:44:55 file3 sshd[4394]: reverse mapping checking getaddrinfo for machinename.domain.com failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 28 16:44:59 file3 sshd[4394]: pam_winbind(sshd:auth): getting password (0x00000000)
Feb 28 16:44:59 file3 sshd[4394]: pam_winbind(sshd:auth): user 'DOMAIN+User' granted access
Feb 28 16:44:59 file3 sshd[4394]: pam_winbind(sshd:account): user 'DOMAIN+User' granted access
Feb 28 16:44:59 file3 sshd[4394]: Accepted password for DOMAIN+User from x.x.x.x port 44240 ssh2
Feb 28 16:44:59 file3 sshd[4394]: pam_unix(sshd:session): session opened for user DOMAIN+User by (uid=0)
Feb 28 16:44:59 file3 sshd[4396]: Received disconnect from x.x.x.x: 11: disconnected by user
Feb 28 16:44:59 file3 sshd[4394]: pam_unix(sshd:session): session closed for user DOMAIN+User

I have also added the group in sudoers list that will be accessing this machine.

Please can anyone assist me here to make ssh work for domain user.


Thanks in advance!
Mayank

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

SSH (PAM) Authentication for Domain User

Post by pschaff » 2012/03/03 10:22:59

The [b]/etc/sudoers[/b] list has nothing to do with logging in via ssh. Is SELinux Enforcing? Did you set the correct SELinux context when you created the home directories?

maksaraswat
Posts: 44
Joined: 2011/10/14 19:00:52
Location: New York
Contact:

Re: SSH (PAM) Authentication for Domain User

Post by maksaraswat » 2012/03/03 18:23:01

SELinux is disabled since installation.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: SSH (PAM) Authentication for Domain User

Post by pschaff » 2012/03/03 18:32:27

Bad idea, but at least eliminates one potential cause. Can local users log in? What are the permissions on ~/.ssh and contents for a domain user? Are you using passwords or SSH keys?

maksaraswat
Posts: 44
Joined: 2011/10/14 19:00:52
Location: New York
Contact:

Re: SSH (PAM) Authentication for Domain User

Post by maksaraswat » 2012/03/04 02:01:48

Yes, local users are logging in fine.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: SSH (PAM) Authentication for Domain User

Post by pschaff » 2012/03/04 02:46:46

and ...

maksaraswat
Posts: 44
Joined: 2011/10/14 19:00:52
Location: New York
Contact:

Re: SSH (PAM) Authentication for Domain User

Post by maksaraswat » 2012/03/07 22:15:42

There is no such file created but there are 4 other files .bash_logout, .bash_profile,, .bashrc and .mozilla. Following are the permission on all of them:

-rw------- 1 DOMAIN+username DOMAIN+user group 33 Feb 29 15:43

I need to permission only particular group (say linuxadmin) to login.

I am using password for domain user authentication.


Thanks,
Mayank

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: SSH (PAM) Authentication for Domain User

Post by pschaff » 2012/03/09 01:34:44

Sorry - you are outside my area of knowledge, but I can tell you that using ssh keys is generally more secure than passwords.

Post Reply