The main issues I have found with not being able to log in via SSH are due to 1 of 2 problems. Passwords/accounts are via a kdc and the /etc/pam.d/sshd does not look up in the correct place. Versions of Openssh before 3.5p1 use pam_unix.so or pam_pwbd.so Try the following from openssh-3.5p1 #%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so The second problem we have found has been due to some extra data that authconfig puts into system-auth. For our KDC environment it causes accounts NOT to be able to log in. The offending line is account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_krb5.so Changing this to account sufficient /lib/security/pam_krb5.so allowed ssh to log in, (plus cleared up some other issues with console logins). If both of these suggestions are wrong, try the following. Run sshd on a high port with increasing number of -d flags and try to narrow down what is killing the authentication. sshd -p 9999 -d is what I did to figure out things over time. After that it was adding debug flags to pam.d files. Hope this helps Stephen On Mon, 2003-02-24 at 11:23, John Oliver wrote: > On Mon, Feb 24, 2003 at 11:40:50AM -0500, TRUCKS, JESSE (SBCSI) wrote: > > You didn't post what problem you are having. > > Well, I can't log on with SSH... :-) > > > Have you checked your pam configuration? > > I know *nothing* about PAM. I've "checked the config" by comparing to > examples I find on the Internet. > > > Do you have any logged debug/message output? > > Nope. > > > Is SSH compiled to use PAM? > > Dunno. Does OpenSSH that comes with Red Hat come compiled with PAM? I > didn't realize that it might not be... I thought all authentication with > Red Hat was handled through PAM. > > -- > John Oliver, CCNA http://www.john-oliver.net/ > Linux/UNIX/network consulting http://www.john-oliver.net/resume/ > *** sendmail, Apache, ftp, DNS, spam filtering *** > **** Colocation, T1s, web/email/ftp hosting **** > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > -- Stephen John Smoogen smoogen@lanl.gov Los Alamos National Labrador CCN-2 B-Schedule PH: Ta-03 SM-261 MailStop P208 DP 17U Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
