Active Directory Users Unable to Login via SSH using SSSD and Getting “Permission Denied, Please Try Again” [CentOS/RHEL]
The Problem
1. Integration of a Linux node with Active Directory for authentication fails with error ‘Permission denied, please try again’ while connecting using ssh:
# ssh [hostname] -l [username]@[DOMAINNAME].com The authenticity of host '[hostname] ([IP ADDRESS])' can't be established. RSA key fingerprint is 4f:3b:ba:b2:b7:6e:d0:b7:dd:a6:4b:32:ac:e3:58:63. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[hostname],[IP ADDRESS]' (RSA) to the list of known hosts. [username]@.com@[hostname]'s password: Permission denied, please try again. [username]@ .com@[hostname]'s password:
2. Verified the username and password are correct:
$ su - [username] # su - [username]@[DOMAINNAME].com
3. The authentication failures can be observed in the /var/log/secure history:
Apr 3 23:20:24 [hostname] sshd[323944]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ittwhxh1n62.na.admworld.com user=[username] Apr 3 23:20:24 [hostname] sshd[323944]: pam_tally2(sshd:auth): user [username] (1494516080) tally 11, deny 5 <<<<<<<<<<<<< Apr 3 23:20:26 [hostname] sshd[323944]: Failed password for [username] from [IP ADDRESS] port 51803 ssh2 Apr 3 23:20:34 [hostname] sshd[323944]: pam_tally2(sshd:auth): user [username] (1494516080) tally 12, deny 5 <<<<<<<<<<<<< Apr 3 23:20:37 [hostname] sshd[323944]: Failed password for [username] from [IP ADDRESS] port 51803 ssh2 Apr 3 23:20:40 [hostname] sshd[323944]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ittwhxh1n62.na.admworld.com user=[username] Apr 3 23:24:37 [hostname] sshd[338364]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ittwhxh1n62.na.admworld.com user=[username] Apr 3 23:24:37 [hostname] sshd[338364]: pam_tally2(sshd:auth): user [username] (1494516080) tally 13, deny 5 <<<<<<<<<<<<< Apr 3 23:24:39 [hostname] sshd[338364]: Failed password for [username] from [IP ADDRESS] port 51893 ssh2
Root Cause
Issue with one or more configuration files: system-auth-ac and password-auth-ac, sssd module were commented in configuration file below:
$ grep sss /etc/pam.d/system-auth-ac # auth sufficient pam_sss.so use_first_pass # account [default=bad success=ok user_unknown=ignore] pam_sss.so # password sufficient pam_sss.so use_authtok # session optional pam_sss.so
$ grep sss /etc/pam.d/password-auth-ac # auth sufficient pam_sss.so use_first_pass # account [default=bad success=ok user_unknown=ignore] pam_sss.so # password sufficient pam_sss.so use_authtok # session optional pam_sss.so
The pam_tally2 module conflicts with sssd modules:
$ cat etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth ##auth required pam_tally2.so deny=5 onerr=fail serialize >>>> #auth required pam_tally2.so deny=5 onerr=fail lock_time=600 serialize # EXADATA ACCESS CONTROL via /etc/exadata/security/exadata-access.conf account required pam_nologin.so account include password-auth account required pam_tally2.so password include password-auth pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session required pam_limits.so
# cat /etc/pam.d/login auth required pam_tally2.so deny=5 onerr=fail serialize
# cat/etc/pam.d/login account required pam_tally2.so
The Solution
1. Comment pam_tally2 lines in all the authenticate files under the /etc/pam.d/* directory.
2. Comment out the line mentioned in cause sections, [Enable sssd modules] as below.
$ grep sss /etc/pam.d/system-auth-ac auth sufficient pam_sss.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok session optional pam_sss.so
$ grep sss /etc/pam.d/password-auth-ac auth sufficient pam_sss.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok session optional pam_sss.so