[Gllug] Debian SSH not letting root login anymore?

Rich Walker rw at shadow.org.uk
Wed Nov 9 16:02:47 UTC 2005 

"Daniel P. Berrange" <dan at berrange.com> writes:

> On Wed, Nov 09, 2005 at 03:48:35PM +0000, Rich Walker wrote:
>> 
>> Hi,
>> 
>> I recently upgraded one of our machines, and now can't do 
>> 
>>   ssh -X root at thoth 
>> 
>> to it any more.
>> 
>> Login as a normal user still works.
>> 
>> /var/log/auth.log suggests pam is causing problems:
>> 
>> Nov  9 15:42:31 thoth sshd[8093]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gateway.shadow.local  user=root
>> Nov  9 15:42:35 thoth sshd[8093]: Accepted keyboard-interactive/pam for root from 10.1.1.17 port 43186 ssh2
>> Nov  9 15:42:35 thoth sshd[8093]: fatal: PAM: pam_setcred(): Permission denied
>> 
>> Any ideas where I should be looking?
>
> What is in your /etc/pam.d/sshd   config file (and any other PAM config
> files it might delegate to, such as system-auth) ?
>

AFAICT, they are the Debian defaults.


except that I changed common-password to 
password   required   pam_unix.so nullok  min=2 max=12 md5

removing obscure and decreasing the min and increasing the max.


cheers, Rich.


/etc/pam.d/ssh:
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]

# Standard Un*x authentication.
@include common-auth

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password


common-account:

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account	required	pam_unix.so

common-auth:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth	required	pam_unix.so nullok_secure


common-password:

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define  the services to be
#used to change user passwords.  The default is pam_unix

# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

password   required   pam_unix.so nullok  min=2 max=12 md5

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required	  pam_cracklib.so retry=3 minlen=6 difok=3
# password required	  pam_unix.so use_authtok nullok md5


common-session:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session	required	pam_unix.so



-- 
rich walker         |  Shadow Robot Company | rw at shadow.org.uk
technical director     251 Liverpool Road   |
need a Hand?           London  N1 1LX       | +UK 20 7700 2487
www.shadow.org.uk/products/newhand.shtml
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list