Start Free Trial

asked on

why my ssh-ldap-helper and ssh-ladp-wrapper files are missing on a new AWS instance?

I have provisioned a new AWS instance today and try to integrate it with our lDAP server. I followed the documentation my predecessor left to me and restart sshd service. however it still didn't work. I compared the files under folder /usr/libexec/openssh and found there are two files are missing from my new instance. They are ssh-ladp-wrapper and ssh-ldap-helper . My question is how could I install them, can I just copy these two files from other AWS instances which had already been added to the domain?

Please advise, thank you.
Ldap-error.png

You will need to install those modules not just copy the files. What linux OS are you running in your AWS? That info will help. For example, on CentOS/RH, all you have to do to enable pam_ldap auth is " /usr/bin/authconfig --enableldapauth --update"

Again, on RH/CentOS, this command changes /etc/pam.d/system-auth (linked to system-auth-ac).

------------
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
---------------

For local users (root and several others), you want to disable LDAP lookups. Otherwise, nss_ldap tries to look up these users in LDAP. Add this to your /etc/ldap.conf:
"nss_initgroups_ignoreusers root,bin,daemon,adm,mail,ftp,nscd,vcsa,sshd,dbus,avahi,haldaemon,ntp,ldap,named,apache"

ASKER

it's a RHEL 7.2 AWS instance, it didn't find that configuration file:

[root@ip-10-104-10-106 openssh]# cat /etc/*-release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.2 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="7.2"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.2 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.2:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.2"
Red Hat Enterprise Linux Server release 7.2 (Maipo)
Red Hat Enterprise Linux Server release 7.2 (Maipo)
[root@ip-10-104-10-106 openssh]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@ip-10-104-10-106 openssh]# /usr/bin/authconfig --enableldapauth --update
bash: /usr/bin/authconfig: No such file or directory
[root@ip-10-104-10-106 openssh]#

Looks like you need to install the dependencies for it to work i.e. LDAP in not installed. Once LDAP is installed you can run the authconfig. Until then it will not work.

ASKER

It looks like my ldap packages have been installed, could you please take a look?

[root@PMSPROD ec2-user]# yum -y upgrade
Loaded plugins: amazon-id, rhui-lb, search-disabled-repos
No packages marked for update
[root@PMSPROD ec2-user]# yum -y install openssh-ldap
Loaded plugins: amazon-id, rhui-lb, search-disabled-repos
No package openssh-ldap available.
Error: Nothing to do
[root@PMSPROD ec2-user]# rpm -qa | grep openssh
openssh-server-6.6.1p1-25.el7_2.x86_64
openssh-6.6.1p1-25.el7_2.x86_64
openssh-clients-6.6.1p1-25.el7_2.x86_64
[root@PMSPROD ec2-user]# yum -y install nss-pam-ldapd
Loaded plugins: amazon-id, rhui-lb, search-disabled-repos
Package nss-pam-ldapd-0.8.13-8.el7.x86_64 already installed and latest version
Nothing to do
[root@PMSPROD ec2-user]# rpm -qa | grep ldapd
nss-pam-ldapd-0.8.13-8.el7.x86_64
[root@PMSPROD ec2-user]#

ASKER

why in your output there is two more lines as below:

password sufficient pam_ldap.so use_authtok

session optional pam_ldap.so

ASKER

I found my ldap configuration was wrong through the "authconfig " command, where should I update this information?

[root@PMSPROD ec2-user]# authconfig --test | grep ldap
nss_ldap is enabled
LDAP server = "ldap://instructor.example.com/"
pam_ldap is enabled
LDAP server = "ldap://instructor.example.com/"
[root@PMSPROD ec2-user]#

ASKER

I got the following error in the audit.log file.

At the same time, my sshd service stopped and complained about the missiong two files.

[root@PMSPROD audit]# service sshd status
Redirecting to /bin/systemctl status sshd.service
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-06-01 11:58:04 EDT; 5min ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 10686 (sshd)
CGroup: /system.slice/sshd.service
└─10686 /usr/sbin/sshd -D

Jun 01 11:58:04 PMSPROD sshd[10686]: Server listening on 0.0.0.0 port 22.
Jun 01 11:58:04 PMSPROD sshd[10686]: Server listening on :: port 22.
Jun 01 11:58:04 PMSPROD systemd[1]: Started OpenSSH server daemon.
Jun 01 11:58:04 PMSPROD systemd[1]: Starting OpenSSH server daemon...
Jun 01 12:00:27 PMSPROD sshd[10708]: error: Could not stat AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper": No such file or directory
Jun 01 12:00:27 PMSPROD sshd[10708]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
[root@PMSPROD audit]#

--------------------------------------------------------
[root@PMSPROD audit]# vi audit.log

type=CRYPTO_KEY_USER msg=audit(1464796824.268:1600): pid=10709 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=73:96:58:f8:31:30:7b:57:89:86:50:98:57:6e:32:f6 direction=? spid=10709 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1464796824.268:1601): pid=10709 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=29:1b:66:4b:a8:7b:b9:50:71:bf:16:bf:38:dc:37:3c direction=? spid=10709 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1464796824.268:1602): pid=10709 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=db:c6:55:94:2b:47:83:62:24:29:be:02:a3:12:e2:ed direction=? spid=10709 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1464796824.352:1603): pid=10708 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=10709 suid=74 rport=52961 laddr=10.104.10.106 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1464796824.352:1604): pid=10708 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=10709 suid=74 rport=52961 laddr=10.104.10.106 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=? res=success'
type=USER_AUTH msg=audit(1464796827.557:1605): pid=10708 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="jyu" exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1464796827.725:1606): pid=10708 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=db:c6:55:94:2b:47:83:62:24:29:be:02:a3:12:e2:ed direction=? spid=10709 suid=74 exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1464796827.725:1607): pid=10708 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=10709 suid=74 rport=52961 laddr=10.104.10.106 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=? res=success'
type=USER_ERR msg=audit(1464796827.725:1608): pid=10708 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=10.104.10.40 addr=10.104.10.40 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1464796827.726:1609): pid=10708 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=73:96:58:f8:31:30:7b:57:89:86:50:98:57:6e:32:f6 direction=? spid=10708 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1464796827.726:1610): pid=10708 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=29:1b:66:4b:a8:7b:b9:50:71:bf:16:bf:38:dc:37:3c direction=? spid=10708 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1464796827.726:1611): pid=10708 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=db:c6:55:94:2b:47:83:62:24:29:be:02:a3:12:e2:ed direction=? spid=10708 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=? res=success'
type=USER_LOGIN msg=audit(1464796827.726:1612): pid=10708 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="jyu" exe="/usr/sbin/sshd" hostname=? addr=10.104.10.40 terminal=ssh res=failed'

----Please kindly help.

ASKER

In my /etc/ssh/sshd_config configuration file, I have the following two lines defined. However, I don't have /usr/libexec/openssh/ssh-ldap-wrapper file exist in that path. How could I install it?

thanks.

#AuthorizedPrincipalsFile none

AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandUser ec2-user

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

It looks like I cannot find the openssh-ldap through yum. I have RHEL 7.2 on an AWS RHEL instance.

My boss suggested me to switch to Amazon linux to get Amazon's repository. I believe there must a way to resolve this since RHEL is the most popular OS.

Please help.

[root@PMSPROD audit]# yum install openssh-ldap
Loaded plugins: amazon-id, rhui-lb, search-disabled-repos
No package openssh-ldap available.
Error: Nothing to do
[root@PMSPROD audit]# rpm -qa | grep openssh-ldap
[root@PMSPROD audit]# rpm -qa | grep openssh
openssh-server-6.6.1p1-25.el7_2.x86_64
openssh-6.6.1p1-25.el7_2.x86_64
openssh-clients-6.6.1p1-25.el7_2.x86_64
[root@PMSPROD audit]# rpm -qa | grep openssh-server
openssh-server-6.6.1p1-25.el7_2.x86_64
[root@PMSPROD audit]# rpm -qa | grep nss-pam-ldapd
nss-pam-ldapd-0.8.13-8.el7.x86_64
[root@PMSPROD audit]#

I would check the repos you have enabled. You might need to enable the contrib or plus repos to have the install.

ASKER

Finally, I had these two packages installed, please see below.

Unfortunately, I still couldn't use my private key to login. I attached the error log, this time, it shows a different error than the one I got before I installed these two packages.

[root@PMSPROD ec2-user]# yum search openssh-ldap
Loaded plugins: priorities, update-motd, upgrade-helper
956 packages excluded due to repository priority protections
================================================================================================================================================= N/S matched: openssh-ldap =================================================================================================================================================
openssh-ldap.x86_64 : A LDAP support for open source SSH server daemon

Name and summary matches only, use "search all" for everything.
[root@PMSPROD ec2-user]# yum install openssh-ldap.x86_64
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main/latest | 2.1 kB 00:00
amzn-updates/latest | 2.3 kB 00:00
956 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package openssh-ldap.x86_64 0:6.6.1p1-25.61.amzn1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================================================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================================================================================================================================================================================
Installing:
openssh-ldap x86_64 6.6.1p1-25.61.amzn1 amzn-updates 104 k

Transaction Summary
=============================================================================================================================================================================================================================================================================================================================
Install 1 Package

Total download size: 104 k
Installed size: 73 k
Is this ok [y/d/N]: y
Downloading packages:
openssh-ldap-6.6.1p1-25.61.amzn1.x86_64.rpm | 104 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : openssh-ldap-6.6.1p1-25.61.amzn1.x86_64 1/1
Verifying : openssh-ldap-6.6.1p1-25.61.amzn1.x86_64 1/1

Installed:
openssh-ldap.x86_64 0:6.6.1p1-25.61.amzn1

Complete!
[root@PMSPROD ec2-user]# yum search
Loaded plugins: priorities, update-motd, upgrade-helper
Error: Need an item to match
Mini usage:

search SOME_STRING

Search package details for the given string
[root@PMSPROD ec2-user]# Total download size: 104 k
bash: Total: command not found
[root@PMSPROD ec2-user]# yum search nss-pam-ldap
Loaded plugins: priorities, update-motd, upgrade-helper
956 packages excluded due to repository priority protections
========================== N/S matched: nss-pam-ldap ===========================
nss-pam-ldapd.i686 : An nsswitch module which uses directory servers
nss-pam-ldapd.x86_64 : An nsswitch module which uses directory servers

Name and summary matches only, use "search all" for everything.
[root@PMSPROD ec2-user]# yum install nss-pam-ldapd
Loaded plugins: priorities, update-motd, upgrade-helper
956 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package nss-pam-ldapd.x86_64 0:0.7.5-20.12.amzn1 will be installed
amzn-main/latest/filelists_db | 5.0 MB 00:00
amzn-updates/latest/filelists_db | 1.2 MB 00:00
epel/x86_64/filelists_db | 8.0 MB 00:00
epel-debuginfo/x86_64/filelists_db | 3.5 MB 00:00
--> Processing Dependency: /lib64/security/pam_ldap.so for package: nss-pam-ldap d-0.7.5-20.12.amzn1.x86_64
--> Processing Dependency: nscd for package: nss-pam-ldapd-0.7.5-20.12.amzn1.x86 _64
--> Running transaction check
---> Package nscd.x86_64 0:2.17-106.167.amzn1 will be installed
---> Package pam_ldap.x86_64 0:185-11.8.amzn1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
nss-pam-ldapd x86_64 0.7.5-20.12.amzn1 amzn-main 171 k
Installing for dependencies:
nscd x86_64 2.17-106.167.amzn1 amzn-main 287 k
pam_ldap x86_64 185-11.8.amzn1 amzn-main 91 k

Transaction Summary
================================================================================
Install 1 Package (+2 Dependent packages)

Total download size: 549 k
Installed size: 791 k
Is this ok [y/d/N]: y
Downloading packages:
(1/3): nscd-2.17-106.167.amzn1.x86_64.rpm | 287 kB 00:00
(2/3): nss-pam-ldapd-0.7.5-20.12.amzn1.x86_64.rpm | 171 kB 00:00
(3/3): pam_ldap-185-11.8.amzn1.x86_64.rpm | 91 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 3.1 MB/s | 549 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : pam_ldap-185-11.8.amzn1.x86_64 1/3
Installing : nscd-2.17-106.167.amzn1.x86_64 2/3
Installing : nss-pam-ldapd-0.7.5-20.12.amzn1.x86_64 3/3
Verifying : nscd-2.17-106.167.amzn1.x86_64 1/3
Verifying : pam_ldap-185-11.8.amzn1.x86_64 2/3
Verifying : nss-pam-ldapd-0.7.5-20.12.amzn1.x86_64 3/3

Installed:
nss-pam-ldapd.x86_64 0:0.7.5-20.12.amzn1

Dependency Installed:
nscd.x86_64 0:2.17-106.167.amzn1 pam_ldap.x86_64 0:185-11.8.amzn1

Complete!
[root@PMSPROD ec2-user]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@PMSPROD ec2-user]# service sshd status
openssh-daemon (pid 27808) is running...

Jun  1 17:27:20 ip-10-104-10-104 useradd[2391]: new group: name=ec2-user, GID=500
Jun  1 17:27:20 ip-10-104-10-104 useradd[2391]: new user: name=ec2-user, UID=500, GID=500, home=/home/ec2-user, shell=/bin/bash
Jun  1 17:27:20 ip-10-104-10-104 useradd[2391]: add 'ec2-user' to group 'wheel'
Jun  1 17:27:20 ip-10-104-10-104 useradd[2391]: add 'ec2-user' to shadow group 'wheel'
Jun  1 17:27:45 ip-10-104-10-104 sshd[2461]: Server listening on 0.0.0.0 port 22.
Jun  1 17:27:45 ip-10-104-10-104 sshd[2461]: Server listening on :: port 22.
Jun  1 17:34:03 ip-10-104-10-104 sshd[2605]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun  1 17:34:34 ip-10-104-10-104 sshd[2607]: Accepted publickey for ec2-user from 10.104.10.40 port 59262 ssh2: RSA 3b:a0:f5:21:87:65:58:82:53:1b:a2:50:f0:98:3b:4f
Jun  1 17:34:34 ip-10-104-10-104 sshd[2607]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Jun  1 17:34:40 ip-10-104-10-104 sudo: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/su
Jun  1 17:34:40 ip-10-104-10-104 su: pam_unix(su:session): session opened for user root by ec2-user(uid=0)
Jun  1 17:39:59 ip-10-104-10-104 su: pam_unix(su:session): session closed for user root
Jun  1 17:42:45 ip-10-104-10-104 sudo: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/su
Jun  1 17:42:45 ip-10-104-10-104 su: pam_unix(su:session): session opened for user root by ec2-user(uid=0)
Jun  1 17:46:09 ip-10-104-10-104 sshd[2692]: Accepted publickey for ec2-user from 10.104.10.40 port 59681 ssh2: RSA 3b:a0:f5:21:87:65:58:82:53:1b:a2:50:f0:98:3b:4f
Jun  1 17:46:09 ip-10-104-10-104 sshd[2692]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Jun  1 18:13:58 ip-10-104-10-104 sudo: ec2-user : TTY=pts/1 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/su
Jun  1 18:13:58 ip-10-104-10-104 su: pam_unix(su:session): session opened for user root by ec2-user(uid=0)
Jun  1 18:19:17 ip-10-104-10-104 sshd[2461]: Received signal 15; terminating.
Jun  1 18:19:17 ip-10-104-10-104 sshd[7354]: Server listening on 0.0.0.0 port 22.
Jun  1 18:19:17 ip-10-104-10-104 sshd[7354]: Server listening on :: port 22.
Jun  1 18:29:27 ip-10-104-10-104 sshd[7374]: Invalid user jyu from 10.104.10.40
Jun  1 18:29:27 ip-10-104-10-104 sshd[7374]: input_userauth_request: invalid user jyu [preauth]
Jun  1 18:29:27 ip-10-104-10-104 sshd[7374]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun  1 18:44:07 ip-10-104-10-104 sshd[7424]: Invalid user jyu from 10.104.10.40
Jun  1 18:44:07 ip-10-104-10-104 sshd[7424]: input_userauth_request: invalid user jyu [preauth]
Jun  1 18:44:07 ip-10-104-10-104 sshd[7424]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun  1 18:47:51 ip-10-104-10-104 sshd[27365]: error: Could not stat AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper": No such file or directory
Jun  1 18:47:52 ip-10-104-10-104 sshd[27365]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun  1 19:59:13 ip-10-104-10-104 sshd[27454]: error: Could not stat AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper": No such file or directory
Jun  1 19:59:13 ip-10-104-10-104 sshd[27454]: error: Could not stat AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper": No such file or directory
Jun  1 19:59:13 ip-10-104-10-104 sshd[27454]: Accepted publickey for ec2-user from 10.104.10.40 port 4561 ssh2: RSA 3b:a0:f5:21:87:65:58:82:53:1b:a2:50:f0:98:3b:4f
Jun  1 19:59:13 ip-10-104-10-104 sshd[27454]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Jun  1 20:01:26 ip-10-104-10-104 sudo: ec2-user : TTY=pts/2 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/usr/bin/yum update
Jun  1 20:03:43 ip-10-104-10-104 sudo: ec2-user : TTY=pts/2 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/usr/bin/yum install openldap-clients
Jun  1 20:06:28 ip-10-104-10-104 sshd[27565]: error: Could not stat AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper": No such file or directory
Jun  1 20:06:28 ip-10-104-10-104 sshd[27565]: error: Could not stat AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper": No such file or directory
Jun  1 20:06:28 ip-10-104-10-104 sshd[27565]: Accepted publickey for ec2-user from 10.104.10.40 port 5604 ssh2: RSA 3b:a0:f5:21:87:65:58:82:53:1b:a2:50:f0:98:3b:4f
Jun  1 20:06:28 ip-10-104-10-104 sshd[27565]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Jun  1 20:10:22 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc/ssh ; USER=root ; COMMAND=/bin/vi ldap.conf
Jun  1 20:11:07 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc ; USER=root ; COMMAND=/bin/vi sudo-ldap.conf
Jun  1 20:12:13 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc/ssh ; USER=root ; COMMAND=/bin/vi sshd_config
Jun  1 20:13:57 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc/ssh ; USER=root ; COMMAND=/bin/vi ldap.conf
Jun  1 20:15:02 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc/ssh ; USER=root ; COMMAND=/usr/bin/tail -fn 20 /var/log/secure
Jun  1 20:15:39 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc/ssh ; USER=root ; COMMAND=/usr/bin/tail -fn 20 /var/log/secure
Jun  1 20:20:31 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum search openssh-ldap
Jun  1 20:23:25 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum search nss-pam
Jun  1 20:23:33 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed nss-pam
Jun  1 20:23:40 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed openssh-ldap
Jun  1 20:24:10 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed openssh-ldap
Jun  1 20:24:14 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed openssh
Jun  1 20:24:17 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed openssh-ldap
Jun  1 20:24:35 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed nss-pam-ldap
Jun  1 20:25:11 ip-10-104-10-104 sshd[27565]: pam_unix(sshd:session): session closed for user ec2-user
Jun  1 20:43:50 ip-10-104-10-104 groupadd[27712]: group added to /etc/group: name=nscd, GID=28
Jun  1 20:43:50 ip-10-104-10-104 groupadd[27712]: group added to /etc/gshadow: name=nscd
Jun  1 20:43:50 ip-10-104-10-104 groupadd[27712]: new group: name=nscd, GID=28
Jun  1 20:43:50 ip-10-104-10-104 useradd[27717]: new user: name=nscd, UID=28, GID=28, home=/, shell=/sbin/nologin
Jun  1 20:43:50 ip-10-104-10-104 groupadd[27726]: group added to /etc/group: name=ldap, GID=55
Jun  1 20:43:50 ip-10-104-10-104 groupadd[27726]: group added to /etc/gshadow: name=ldap
Jun  1 20:43:50 ip-10-104-10-104 groupadd[27726]: new group: name=ldap, GID=55
Jun  1 20:43:50 ip-10-104-10-104 useradd[27731]: new user: name=nslcd, UID=65, GID=55, home=/, shell=/sbin/nologin
Jun  1 20:44:05 ip-10-104-10-104 sshd[27776]: Invalid user jyu from 10.104.10.40
Jun  1 20:44:05 ip-10-104-10-104 sshd[27776]: input_userauth_request: invalid user jyu [preauth]
Jun  1 20:44:05 ip-10-104-10-104 sshd[27776]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun  1 20:44:14 ip-10-104-10-104 sshd[7354]: Received signal 15; terminating.
Jun  1 20:44:14 ip-10-104-10-104 sshd[27808]: Server listening on 0.0.0.0 port 22.
Jun  1 20:44:14 ip-10-104-10-104 sshd[27808]: Server listening on :: port 22.
Jun  1 20:44:39 ip-10-104-10-104 sshd[27826]: Invalid user jyu from 10.104.10.40
Jun  1 20:44:39 ip-10-104-10-104 sshd[27826]: input_userauth_request: invalid user jyu [preauth]
Jun  1 20:44:39 ip-10-104-10-104 sshd[27826]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun  1 20:47:14 ip-10-104-10-104 sshd[27830]: error: AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper returned status 255
Jun  1 20:47:25 ip-10-104-10-104 sshd[27830]: error: AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper returned status 255
Jun  1 20:47:25 ip-10-104-10-104 sshd[27830]: Accepted publickey for ec2-user from 10.104.10.40 port 8934 ssh2: RSA 3b:a0:f5:21:87:65:58:82:53:1b:a2:50:f0:98:3b:4f
Jun  1 20:47:25 ip-10-104-10-104 sshd[27830]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Jun  1 20:49:44 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/usr/bin/tail -200 /var/log/secure
Jun  1 20:52:29 ip-10-104-10-104 sshd[27830]: pam_unix(sshd:session): session closed for user ec2-user

Open in new window

Is your LDAP connections setup? It is saying that the user does not exist. If you have another server already configured you should check the LDAP.conf and the ssh config files (all of them).

is your public key in the authorizedkey file?

ASKER

Yes, My public key is in the authorizedkey file on the ldap server. but I didn't add my public key to this new server.

I am checking the ssh_config file now and the other. give me a few minutes.

ASKER

I compared two files with another client server with which my private key works there.

/etc/ssh/sshd_config this is good.

/etc/openldap/ldap.conf This file on my new instance doesn't have two line defining the ldap location. I added them in and restart sshd servcie, but the result is the same.

Please take look.

So please check the following

For local users (root and several others), you want to disable LDAP lookups. Otherwise, nss_ldap tries to look up these users in LDAP. Add this to your /etc/ldap.conf:
"nss_initgroups_ignoreusers root,bin,daemon,adm,mail,ftp,nscd,vcsa,sshd,dbus,avahi,haldaemon,ntp,ldap,named,apache"

Compare between the 2 servers

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

ASKER

This file look exactly the same on two different instances.

ASKER

here is the file comparison.

ASKER

I forgot attach the picture file.
system-auth-file.png

ASKER

I enabled debug mode on sshd daemon and record a whole failed login process, please take a look.

[root@PMSPROD log]# service sshd stop
Stopping sshd:                                             [  OK  ]
[root@PMSPROD log]# vi /etc/sysconfig/sshd
[root@PMSPROD log]# servcie sshd start
bash: servcie: command not found
[root@PMSPROD log]# service sshd start
Starting sshd: debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 766
debug2: parse_server_config: config /etc/ssh/sshd_config len 766
debug3: /etc/ssh/sshd_config:23 setting Protocol 2
debug3: /etc/ssh/sshd_config:43 setting SyslogFacility AUTHPRIV
debug3: /etc/ssh/sshd_config:51 setting PermitRootLogin forced-commands-only
debug3: /etc/ssh/sshd_config:61 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /etc/ssh/sshd_config:65 setting AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
debug3: /etc/ssh/sshd_config:66 setting AuthorizedKeysCommandUser ec2-user
debug3: /etc/ssh/sshd_config:82 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:86 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:96 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:97 setting GSSAPICleanupCredentials yes
debug3: /etc/ssh/sshd_config:114 setting UsePAM yes
debug3: /etc/ssh/sshd_config:119 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:125 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:145 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:146 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:147 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
debug3: /etc/ssh/sshd_config:148 setting AcceptEnv XMODIFIERS
debug3: /etc/ssh/sshd_config:151 setting Subsystem sftp /usr/libexec/openssh/sftp-server
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1k-fips 8 Jan 2015
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_rsa_key" as a RSA1 public key
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_dsa_key" as a RSA1 public key
debug1: private host key: #1 type 2 DSA
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_ecdsa_key" as a RSA1 public key
debug1: private host key: #2 type 3 ECDSA
debug3: Incorrect RSA1 identifier
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_ed25519_key" as a RSA1 public key
debug1: private host key: #3 type 4 ED25519
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug3: oom_adjust_setup
Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 766
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 10.104.10.40 port 53371 on 10.104.10.104 port 22
debug1: Client protocol version 2.0; client software version PuTTY_Snapshot_2015_09_27.acff0a6
debug1: no match: PuTTY_Snapshot_2015_09_27.acff0a6
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 28349
debug3: preauth child monitor started
debug1: SELinux support disabled [preauth]
debug3: privsep user:group 74:74 [preauth]
debug1: permanently_set_uid: 74/74 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-sha1 [preauth]
debug2: kex_parse_kexinit: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth]
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth]
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com [preauth]
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com [preauth]
debug2: kex_parse_kexinit: none,zlib [preauth]
debug2: kex_parse_kexinit: none,zlib [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none [preauth]
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none [preauth]
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64 [preauth]
debug3: mm_request_send entering: type 120 [preauth]
debug3: mm_request_receive_expect entering: type 121 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 120
debug3: mm_request_send entering: type 121
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64 [preauth]
debug3: mm_request_send entering: type 120 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 120
debug3: mm_request_send entering: type 121
debug3: mm_request_receive_expect entering: type 121 [preauth]
debug3: mm_request_receive entering [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x5598ff86dec0(83)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug2: kex_derive_keys [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user jyu service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 10.104.10.40.
debug2: parse_server_config: config reprocess config len 766
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for jyu [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send entering: type 100 [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug3: mm_inform_authrole entering [preauth]
debug3: mm_request_send entering: type 80 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic" [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "jyu"
debug1: PAM: setting PAM_RHOST to "10.104.10.40"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 80
debug3: mm_answer_authrole: role=
debug2: monitor_read: 80 used once, disabling now
debug1: userauth-request for user jyu service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x5598ff872cd0
debug1: temporarily_use_uid: 500/500 (e=0/0)
debug3: Running AuthorizedKeysCommand: "/usr/libexec/openssh/ssh-ldap-wrapper jyu" as "ec2-user"
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 500/500 (e=0/0)
debug2: key not found
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper returned status 255
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 20879/36278 (e=0/0)
debug1: trying public key file /home/jyu/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/jyu/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x5598ff872cd0 is not allowed
Failed publickey for jyu from 10.104.10.40 port 53371 ssh2: RSA fa:03:2d:6a:75:c2:0b:e5:68:40:54:62:b2:c6:3f:b6
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic" [preauth]
debug1: userauth-request for user jyu service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: mm_request_send entering: type 42 [preauth]
debug3: mm_request_receive_expect entering: type 43 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 42
debug1: Unspecified GSS failure.  Minor code may provide more information
Key table file '/etc/krb5.keytab' not found

debug3: mm_request_send entering: type 43
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic" [preauth]
Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
debug1: do_cleanup [preauth]
debug3: PAM: sshpam_thread_cleanup entering [preauth]
debug3: mm_request_send entering: type 124 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 124
debug3: mm_request_send entering: type 122 [preauth]
debug3: mm_request_receive_expect entering: type 123 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 122
debug3: mm_request_send entering: type 123
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 28349
                                                           [FAILED]
[root@PMSPROD log]#

Open in new window

ASKER

this is the error showed in my /var/log/secure file.

Jun 1 18:47:52 ip-10-104-10-104 sshd[27365]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun 1 19:59:13 ip-10-104-10-104 sshd[27454]: error: Could not stat AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper": No such file or directory
Jun 1 19:59:13 ip-10-104-10-104 sshd[27454]: error: Could not stat AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper": No such file or directory
Jun 1 19:59:13 ip-10-104-10-104 sshd[27454]: Accepted publickey for ec2-user from 10.104.10.40 port 4561 ssh2: RSA 3b:a0:f5:21:87:65:58:82:53:1b:a2:50:f0:98:3b:4f
Jun 1 19:59:13 ip-10-104-10-104 sshd[27454]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Jun 1 20:01:26 ip-10-104-10-104 sudo: ec2-user : TTY=pts/2 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/usr/bin/yum update
Jun 1 20:03:43 ip-10-104-10-104 sudo: ec2-user : TTY=pts/2 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/usr/bin/yum install openldap-clients
Jun 1 20:06:28 ip-10-104-10-104 sshd[27565]: error: Could not stat AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper": No such file or directory
Jun 1 20:06:28 ip-10-104-10-104 sshd[27565]: error: Could not stat AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper": No such file or directory
Jun 1 20:06:28 ip-10-104-10-104 sshd[27565]: Accepted publickey for ec2-user from 10.104.10.40 port 5604 ssh2: RSA 3b:a0:f5:21:87:65:58:82:53:1b:a2:50:f0:98:3b:4f
Jun 1 20:06:28 ip-10-104-10-104 sshd[27565]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Jun 1 20:10:22 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc/ssh ; USER=root ; COMMAND=/bin/vi ldap.conf
Jun 1 20:11:07 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc ; USER=root ; COMMAND=/bin/vi sudo-ldap.conf
Jun 1 20:12:13 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc/ssh ; USER=root ; COMMAND=/bin/vi sshd_config
Jun 1 20:13:57 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc/ssh ; USER=root ; COMMAND=/bin/vi ldap.conf
Jun 1 20:15:02 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc/ssh ; USER=root ; COMMAND=/usr/bin/tail -fn 20 /var/log/secure
Jun 1 20:15:39 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/etc/ssh ; USER=root ; COMMAND=/usr/bin/tail -fn 20 /var/log/secure
Jun 1 20:20:31 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum search openssh-ldap
Jun 1 20:23:25 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum search nss-pam
Jun 1 20:23:33 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed nss-pam
Jun 1 20:23:40 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed openssh-ldap
Jun 1 20:24:10 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed openssh-ldap
Jun 1 20:24:14 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed openssh
Jun 1 20:24:17 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed openssh-ldap
Jun 1 20:24:35 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/usr/libexec/openssh ; USER=root ; COMMAND=/usr/bin/yum list installed nss-pam-ldap
Jun 1 20:25:11 ip-10-104-10-104 sshd[27565]: pam_unix(sshd:session): session closed for user ec2-user
Jun 1 20:43:50 ip-10-104-10-104 groupadd[27712]: group added to /etc/group: name=nscd, GID=28
Jun 1 20:43:50 ip-10-104-10-104 groupadd[27712]: group added to /etc/gshadow: name=nscd
Jun 1 20:43:50 ip-10-104-10-104 groupadd[27712]: new group: name=nscd, GID=28
Jun 1 20:43:50 ip-10-104-10-104 useradd[27717]: new user: name=nscd, UID=28, GID=28, home=/, shell=/sbin/nologin
Jun 1 20:43:50 ip-10-104-10-104 groupadd[27726]: group added to /etc/group: name=ldap, GID=55
Jun 1 20:43:50 ip-10-104-10-104 groupadd[27726]: group added to /etc/gshadow: name=ldap
Jun 1 20:43:50 ip-10-104-10-104 groupadd[27726]: new group: name=ldap, GID=55
Jun 1 20:43:50 ip-10-104-10-104 useradd[27731]: new user: name=nslcd, UID=65, GID=55, home=/, shell=/sbin/nologin
Jun 1 20:44:05 ip-10-104-10-104 sshd[27776]: Invalid user jyu from 10.104.10.40
Jun 1 20:44:05 ip-10-104-10-104 sshd[27776]: input_userauth_request: invalid user jyu [preauth]
Jun 1 20:44:05 ip-10-104-10-104 sshd[27776]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun 1 20:44:14 ip-10-104-10-104 sshd[7354]: Received signal 15; terminating.
Jun 1 20:44:14 ip-10-104-10-104 sshd[27808]: Server listening on 0.0.0.0 port 22.
Jun 1 20:44:14 ip-10-104-10-104 sshd[27808]: Server listening on :: port 22.
Jun 1 20:44:39 ip-10-104-10-104 sshd[27826]: Invalid user jyu from 10.104.10.40
Jun 1 20:44:39 ip-10-104-10-104 sshd[27826]: input_userauth_request: invalid user jyu [preauth]
Jun 1 20:44:39 ip-10-104-10-104 sshd[27826]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun 1 20:47:14 ip-10-104-10-104 sshd[27830]: error: AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper returned status 255
Jun 1 20:47:25 ip-10-104-10-104 sshd[27830]: error: AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper returned status 255
Jun 1 20:47:25 ip-10-104-10-104 sshd[27830]: Accepted publickey for ec2-user from 10.104.10.40 port 8934 ssh2: RSA 3b:a0:f5:21:87:65:58:82:53:1b:a2:50:f0:98:3b:4f
Jun 1 20:47:25 ip-10-104-10-104 sshd[27830]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Jun 1 20:49:44 ip-10-104-10-104 sudo: ec2-user : TTY=pts/3 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/usr/bin/tail -200 /var/log/secure
Jun 1 20:52:29 ip-10-104-10-104 sshd[27830]: pam_unix(sshd:session): session closed for user ec2-user
Jun 1 21:06:47 ip-10-104-10-104 sshd[27921]: Invalid user ec-user from 10.104.10.40
Jun 1 21:06:47 ip-10-104-10-104 sshd[27921]: input_userauth_request: invalid user ec-user [preauth]
Jun 1 21:06:47 ip-10-104-10-104 sshd[27921]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun 1 21:21:13 ip-10-104-10-104 sshd[27808]: Received signal 15; terminating.
Jun 1 21:21:13 ip-10-104-10-104 sshd[27989]: Server listening on 0.0.0.0 port 22.
Jun 1 21:21:13 ip-10-104-10-104 sshd[27989]: Server listening on :: port 22.
Jun 1 21:21:33 ip-10-104-10-104 sshd[27991]: Invalid user jyu from 10.104.10.40
Jun 1 21:21:33 ip-10-104-10-104 sshd[27991]: input_userauth_request: invalid user jyu [preauth]
Jun 1 21:21:33 ip-10-104-10-104 sshd[27991]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun 1 21:26:53 ip-10-104-10-104 sshd[27989]: Received signal 15; terminating.
Jun 1 21:26:53 ip-10-104-10-104 sshd[28028]: Server listening on 0.0.0.0 port 22.
Jun 1 21:26:53 ip-10-104-10-104 sshd[28028]: Server listening on :: port 22.
Jun 1 21:27:08 ip-10-104-10-104 sshd[28030]: Invalid user jyu from 10.104.10.40
Jun 1 21:27:08 ip-10-104-10-104 sshd[28030]: input_userauth_request: invalid user jyu [preauth]
Jun 1 21:27:08 ip-10-104-10-104 sshd[28030]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun 1 21:40:11 ip-10-104-10-104 sshd[28028]: Received signal 15; terminating.
Jun 1 21:40:11 ip-10-104-10-104 sshd[28209]: Server listening on 0.0.0.0 port 22.
Jun 1 21:40:11 ip-10-104-10-104 sshd[28209]: Server listening on :: port 22.
Jun 1 21:40:43 ip-10-104-10-104 sshd[28216]: error: AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper returned status 255
Jun 1 21:40:43 ip-10-104-10-104 sshd[28216]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun 1 21:42:57 ip-10-104-10-104 sshd[28225]: error: AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper returned status 255
Jun 1 21:42:57 ip-10-104-10-104 sshd[28225]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun 1 21:46:57 ip-10-104-10-104 sshd[28209]: Received signal 15; terminating.
Jun 1 21:46:57 ip-10-104-10-104 sshd[28292]: Server listening on 0.0.0.0 port 22.
Jun 1 21:46:57 ip-10-104-10-104 sshd[28292]: Server listening on :: port 22.
Jun 1 21:47:31 ip-10-104-10-104 sshd[28295]: error: AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper returned status 255
Jun 1 21:47:31 ip-10-104-10-104 sshd[28295]: error: Received disconnect from 10.104.10.40: 14: No supported authentication methods available [preauth]
Jun 1 21:53:07 ip-10-104-10-104 sshd[28292]: Received signal 15; terminating.

ASKER

Hi, Joshua:

Finally, I got it resolved by installing those two missing packages and rerun the script.

Thank you very much for you help, I really appreciate your help.

Jason

ASKER

Thank you, Joshua, I really give good advice. It's you who motivated me to resolve this issue.

Have a nice day!

You are welcome