Link to home
Start Free TrialLog in
Avatar of Deepti_vobilineni
Deepti_vobilineni

asked on

SSH login is failing with permission denied error in AIX 5.3 ML08

I have a AIX 5.3 ML08 server. When I try to login with SSH, both as root user and non-root user, it fails with permission denied error message.

Below is the output,
ssh -l user etr6506l3-aix93.ca.com
user@etr6506l3-aix93.ca.com's password:
Permission denied, please try again.
user@etr6506l3-aix93.ca.com's password:
Permission denied, please try again.
user@etr6506l3-aix93.ca.com's password:
Received disconnect from 155.35.7.36: 2: Too many authentication failures for user

If I look into the syslog messages file, the following PAM related error messages are observed,

May 14 07:08:01 etr6506l3-aix93 auth|security:debug sshd: PAM: pam_authenticate: error Authentication failed
May 14 07:08:01 etr6506l3-aix93 auth|security:debug sshd: PAM: pam_authenticate: error Authentication failed
May 14 07:08:01 etr6506l3-aix93 auth|security:info sshd[274440]: Failed password for user from 155.35.7.36 port 32836 ssh2
May 14 07:08:01 etr6506l3-aix93 auth|security:info sshd[274440]: Failed password for user from 155.35.7.36 port 32836 ssh2
May 14 07:08:01 etr6506l3-aix93 auth|security:info syslog: ssh: failed login attempt for user from etr6506l3-aix93.ca.com
May 14 07:08:01 etr6506l3-aix93 auth|security:info syslog: ssh: failed login attempt for user from etr6506l3-aix93.ca.com

Could you please help me out in resolving this problem.

The sshd_config file looks as below,
#       $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
# HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
MaxAuthTries 3

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/sbin/sftp-server

Open in new window


Avatar of woolmilkporc
woolmilkporc
Flag of Germany image
Do you actually use PAM?
If you don't, set UsePAM to no in sshd_config, restart sshd (stopsrc -s sshd ; startsrc -s sshd ) and retry.
wmp
Avatar of Deepti_vobilineni
Deepti_vobilineni

ASKER

Yes, we do actually use PAM
Avatar of Deepti_vobilineni
Deepti_vobilineni

ASKER

and btw..I have even tried by setting UsePAM no and restarting sshd (stopsrc -s sshd, startsrc -s sshd), still the same problem is observed :(
Avatar of woolmilkporc
woolmilkporc
Flag of Germany image
Is remote login allowed for the users in question?
Check with
lsuser -a rlogin user,user,user,...

Avatar of Deepti_vobilineni
Deepti_vobilineni

ASKER

Yes remot elogin is enabled for this user,
# lsuser -a rlogin user
user rlogin=true

Even ssh login as root is failing with the same mentioned problem :(

However, if I try to login using telnet/rlogin, login is successful, both for root user and non-root user

ASKER CERTIFIED SOLUTION
Avatar of woolmilkporc
woolmilkporc
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Sudeep Sharma
Sudeep Sharma
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Deepti_vobilineni
Deepti_vobilineni

ASKER

Hi,
I have set the LogLevel to DEBUG in sshd_config file and uncommented the line and restarted the sshd subsystem.
attached is the verbose output, when I run
ssh -v -l user localhost

Also, please find below the debug output in syslog,
May 17 02:10:58 etr6506l3-aix93 auth|security:debug sshd[266354]: debug1: do_cleanup
May 17 02:10:58 etr6506l3-aix93 auth|security:debug sshd[266354]: debug1: do_cleanup
May 17 02:10:58 etr6506l3-aix93 auth|security:debug sshd[266354]: debug1: PAM: cleanup
May 17 02:10:58 etr6506l3-aix93 auth|security:debug sshd[266354]: debug1: PAM: cleanup

# ssh -v -l user localhost
OpenSSH_4.3p2, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
user@localhost's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
user@localhost's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
user@localhost's password:
Received disconnect from 127.0.0.1: 2: Too many authentication failures for user

Open in new window

Avatar of Deepti_vobilineni
Deepti_vobilineni

ASKER

The problem got solved.
Problem area: The ssh related lines in pam.conf got deleted

sshd    auth    optional        /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix

Once pam.conf id updated with these lines, ssh is working properly.