RHEL6 Remote User cannot log in via SSH

I have four RHEL6.4 vmware servers that perform specific backup duties and nothing else.

Users need to log in to the server remotely via SSH as the servers are located on physical hardware in a geographically diverse area.

I can log in remotely using the root account with no issue.  When I try and log in using a normal user account (to then sudo to root)  I cannot get access.  I get an 'incorrect password' prompt.  Even if I then log back in as root and change the specific username password, it still doesn't work when I try the user account again.

I have researched the problem across the Internet but many of the sites that may have the answer are blocked by company policy.

These accounts used to work with no problem, so something has changed but I need a few pointers please folks.

Dave HendersonSolution ArchitectAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

on the client, try running
$ ssh -v user@hostname
$ ssh -vv user@hostname
(multiple v's)
It will spit a bunch of info, then ask for the password. Try to login, and it should give a verbose explanation of the failure.

Also, on the server, you can check /var/log/secure to see the failures and see if there is any info as to why  in there.

One of these should give you the info you need to solve the problem.

If you cannot figure it out, post the information you receive from those options here

My educated guess is that it has to do with SELinux being active on the server with incorrect settings, or an improperly configured /etc/ssh/sshd_config on the server
Dave HendersonSolution ArchitectAuthor Commented:
Checked /var/log/secure and got this output
Nov 19 10:12:26 nbs003 sshd[7545]: Failed password for rja from 10.*.*.* port 65183 ssh2
Nov 19 10:12:35 nbs003 sshd[7545]: pam_tally2(sshd:auth): user rja (40138) tally 51, deny 3
Nov 19 10:12:37 nbs003 sshd[7545]: Failed password for rja from 10.*.*.* port 65183 ssh2
Nov 19 10:12:42 nbs003 sshd[7545]: pam_tally2(sshd:auth): user rja (40138) tally 52, deny 3
Nov 19 10:12:44 nbs003 sshd[7545]: Failed password for rja from 10.*.*.* port 65183 ssh2

So then I log onto the target server as root, successfully change the password for rja and try again...

Nov 19 10:22:14 nbs003 passwd[7643]: pam_unix(passwd:chauthtok): password changed for rja
Nov 19 10:22:36 nbs003 sshd[7647]: pam_tally2(sshd:auth): user rja (40138) tally 54, deny 3
Nov 19 10:22:38 nbs003 sshd[7647]: Failed password for rja from 10.*.*.* port 50232 ssh2

I am using SecureCRT as the client which has a pre-configured SSH connection (no script) so trying to figure out verbose logging on that end also....

Dave HendersonSolution ArchitectAuthor Commented:
I also checked the sshd_config file on all four servers and there were some discrepancies.

Two had the following;
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

And two had;
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
ChallengeResponseAuthentication yes

After straightening these all out to be the latter with "ChallengeResponseAuthentication yes"... it still doesn't allow standard users to log in, only root.
Dave HendersonSolution ArchitectAuthor Commented:
Problem resolved.  My approach was wrong.  I hadn't figured out that the users had locked out their accounts! (These particular users are remote support technicians from an external company).

So, pam_tally2 --user=userid --reset fixed the issue.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave HendersonSolution ArchitectAuthor Commented:
Further research into core of problem revealed condition
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSH / Telnet Software

From novice to tech pro — start learning today.