SCIENTIFIC-LINUX-USERS Archives

May 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Authentication problems
From:
John Logsdon <[log in to unmask]>
Reply To:
John Logsdon <[log in to unmask]>
Date:
Tue, 23 May 2006 05:25:08 +0100
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (137 lines) 
When this sort of thing happens, I would suspect the volume on which the
user's directories are located.  If the bad users are all on a newer
disk/partition/nfs mounted device, it is possible that the mount
restrictions are different - and of course this may be across NFS (or
whatever you may be using).  It is unlikely that a PAM/Kerberos issue
affects only new users in the way described.

On one of my systems, regular users are mounted on /home/<n>, which is on
another container, while admin users are mounted on /home directly.  When
the regular user container fell over recently, I was most grateful that at
least I could login, su - and see what had happened!  Different scene but
same issue - some users can, some users can't.

Best wishes

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
[log in to unmask]              [log in to unmask]
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com


On Mon, 22 May 2006, John Hanks wrote:

> Since I don't have effective control of my clients I modified your
> suggestion and removed authentication methods from the server. Removing
> public-key made it so that I now get a password prompt but it still
> times out after entering the password. Removing public-key and setting
> usePAM to no makes for password failure (even with a good password.)
> 
> I'm now focused on PAM or some connecting bit as the problem. I've
> enabled debug for pam_krb5 and comparing a successful login to a broken
> attempt, I don't see any difference in kerberos messages for the two. In
> fact, watching debug messages for su'ing ot a "good" user and a "bad"
> user doesn't show any differences other that the "bad" users always have
> a long wait for *something* to time out or happen.
> 
> Other things I've noticed:
> 
> [root@edna ssh]# useradd -d /tmp/testing testing
> 
> hangs.
> 
> Getent works perfectly fine for "bad" accounts.
> 
> [root@edna log]# getent passwd baduser
> baduser:ABCD!efgh12345$67890:10057:10000:Bad User:/home/baduser:/bin/bash
> 
> Thanks,
> 
> jbh
> 
> On Mon, 2006-05-22 at 17:45 -0500, teh wrote:
> > I wonder if this is the problem I had.  The symptoms sound vaguely familiar.
> > The fix is the following:  You have to limit the number of authentication
> > methods.  My solution is
> > 
> > PreferredAuthentications gssapi-with-mic,publickey,password
> > 
> > for the client config.  There is a limit on the attempts the sshd server 
> > will entertain before it closes down the connection.  I believe it's in 
> > the neighborhood of 4 or 5 attempts.  And, adding the kerberos auth seems 
> > to generate multiple attempts.
> > 
> > Try it.  I suspect it is the same problem.
> > 
> > Ken
> > 
> > 
> > 
> > On Mon, 22 May 2006, John Hanks wrote:
> > 
> > > Our setup (which has worked great until a few weeks ago) is:
> > >
> > >  * Windows Active Directory for LDAP and Kerberos
> > >  * Clusters using Scientific Linux 4.2
> > >  * Workstations using Fedora Core 4/5
> > >
> > > In the last couple of weeks we've seen some strange behavior. Some
> > > accounts (generally the older user accounts) are continuing to work
> > > fine. But newer accounts are no longer able to connect to any of the SL
> > > 4.2 clusters. At first I thought it was a kerberos issue, but I've been
> > > unable to find anything to point at a kerberos/LDAP problem. As far as I
> > > can tell, there is no significant difference between newer and older
> > > accounts within the LDAP directory.
> > >
> > > sshd hangs when attempting to exchange the public key. I've started sshd
> > > in debug mode with:
> > >
> > > [root@edna pam.d]# /usr/sbin/sshd -p 48000 -ddd
> > >
> > > then connected from a workstation using a "bad" account with this
> > > command:
> > >
> > > griznog@danaus ~ $ ssh -vvv -p 48000 markm@edna
> > >
> > > The sshd session logs these lines as the last bit of output before
> > > hanging:
> > >
> > > debug3: fd 4 is not O_NONBLOCK
> > > debug1: Server will not fork when running in debugging mode.
> > > debug3: send_rexec_state: entering fd = 7 config len 331
> > > debug3: ssh_msg_send: type 0
> > > debug3: send_rexec_state: done
> > > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
> > >
> > > the ssh session connecting has this to say:
> > >
> > > debug1: Authentications that can continue:
> > > publickey,gssapi-with-mic,password
> > > debug2: we did not send a packet, disable method
> > > debug3: authmethod_lookup publickey
> > > debug3: remaining preferred: keyboard-interactive,password
> > > debug3: authmethod_is_enabled publickey
> > > debug1: Next authentication method: publickey
> > > debug1: Offering public key: /home/griznog/.ssh/id_rsa
> > > debug3: send_pubkey_test
> > > debug2: we sent a publickey packet, wait for reply
> > >
> > > To muddy the water some more, trying to 'su - baduser' behaves
> > > similarly, the su command hangs but it waits until something times out
> > > then succeeds. The problem doesn't exist on our FC5 workstations, either
> > > with su or ssh.
> > >
> > > If someone has any clues as to what might cause this or can provide some
> > > pointers to use while troubleshooting, I'd be grateful.
> > >
> > > Thanks,
> > >
> > > jbh
> > >
> > > John Hanks
> > > Utah State University
> > >
>

ATOM RSS1 RSS2