Invalid user

1,765 views
Skip to first unread message

Benjamin GUILLON

unread,
Mar 22, 2013, 5:27:14 AM3/22/13
to rcdevs-t...@googlegroups.com
Hi,

I have setup OpenOTP server on Centos 6 32bit with ldapotp mode. In
the test user login it is showing "Authentication Success" but ssh is
not working on a Centos 6 32-bit machine.

It seems that SSH can't use LDAP user but I installed pam_ldap.
After the test on the WebAdm I downloaded the libopenotp and pam_openotp

I then moved libopenotp-1.0/build_linux32/libopenotp* to /usr/lib
And I moved pam-openotp-1.0/build_linux32/pam_openotp.so to /lib/security

[root@serverauth Benjamin]# ls -l /usr/lib/libopenotp*
-rw-r--r--. 1 root root 5656068 21 mars  11:56 /usr/lib/libopenotp.a
lrwxrwxrwx. 1 root root      19 22 mars  10:11 /usr/lib/libopenotp.so -> libopenotp.so.1.0.7
lrwxrwxrwx. 1 root root      19 22 mars  10:11 /usr/lib/libopenotp.so.1 -> libopenotp.so.1.0.7
-rwxr-xr-x. 1 root root 3522754 21 mars  15:37 /usr/lib/libopenotp.so.1.0.7

[root@serverauth Benjamin]# ls -l /lib/security/pam_openotp.so
-rwxr-xr-x. 1 root root 3518736 21 mars  12:00 /lib/security/pam_openotp.so


here's my conf :

/etc/pam.d/sshd
#%PAM-1.0
auth       sufficient   pam_openotp.so  server_url="http://192.168.124.19:8080/openotp/" client_id="SSH"  password_mode=2
auth       required     pam_sepermit.so
auth       include    password-auth
account    required     pam_nologin.so
account    include    password-auth
password   include    password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include    password-auth

/etc/ssh/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes

I saw this topic https://groups.google.com/forum/?fromgroups=#!searchin/rcdevs-technical/user$20pam/rcdevs-technical/-c3ID7Qqbyw/BdRv93TxYdEJ

And so I installed pam_ldap and I configure the /etc/pam_ldap.conf file

host 192.168.124.19
base dc=local,dc=oceanet,dc=com

Then in the WebAdm I went to my test user profil to add the PosixAccount extension

but I still got the same issue when I try to connect with my user named bernard to my server 192.168.124.19 in ssh. I try to connect from 192.168.124.19 to 192.168.124.19 with ssh to avoid the firewall troubles. But when I try from an other server this is the same.

My log file /var/log/secure :
Mar 22 10:22:03 serverauth sshd[3491]: Invalid user bernard from 192.168.124.19
Mar 22 10:22:03 serverauth sshd[3492]: input_userauth_request: invalid user bernard
Mar 22 10:22:03 serverauth sshd[3492]: Postponed keyboard-interactive for invalid user bernard from 192.168.124.19 port 52611 ssh2
Mar 22 10:22:07 serverauth sshd[3494]: pam_openotp: Invalid PAM user bernard
Mar 22 10:22:07 serverauth sshd[3492]: Postponed keyboard-interactive/pam for invalid user bernard from 192.168.124.19 port 52611 ssh2
Mar 22 10:22:09 serverauth sshd[3494]: pam_unix(sshd:auth): check pass; user unknown
Mar 22 10:22:09 serverauth sshd[3494]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.124.19
Mar 22 10:22:09 serverauth sshd[3494]: pam_succeed_if(sshd:auth): error retrieving information about user bernard
Mar 22 10:22:11 serverauth sshd[3491]: error: PAM: User not known to the underlying authentication module for illegal user bernard from 192.168.124.19
Mar 22 10:22:11 serverauth sshd[3491]: Failed keyboard-interactive/pam for invalid user bernard from 192.168.124.19 port 52611 ssh2
Mar 22 10:22:11 serverauth sshd[3492]: Postponed keyboard-interactive for invalid user bernard from 192.168.124.19 port 52611 ssh2

You can see my command :
[root@serverauth build_linux32]# ssh ber...@192.168.124.19 -v
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.124.19 [192.168.124.19] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.124.19' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied


debug1: An invalid name was supplied


debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
OTP Password:


I don't know what I'm supposed to do ..  What did I wrong ? Should I do somethings on the radius bridge ?

Benjamin


Administrators

unread,
Mar 22, 2013, 7:00:58 AM3/22/13
to RCDevs Security Solutions - Technical
The problem is simply that your user 'bernard' does not exist at Linux
level.

Mar 22 10:22:03 serverauth sshd[3492]: input_userauth_request: invalid
user bernard
means the user is not an existing posix user in the system!

2 choices:

1) You implement PAM-LDAP to have the unix users in LDAP as
replacement of having them /etc/password.
This is very elegant and you need to extend the ldap accounts with the
PosixAccount extension in WebADM.
On a Centos6, you need to implement nss-pam-ldapd and pam_ldap
correctly.

2) You simply have users in /etc/password with the same uid as your
WebADM users.

On Mar 22, 10:27 am, Benjamin GUILLON <guillon....@gmail.com> wrote:
> Hi,
>
> I have setup OpenOTP server on Centos 6 32bit with ldapotp mode. In
> the test user login it is showing "Authentication Success" but ssh is
> not working on a Centos 6 32-bit machine.
>
> It seems that SSH can't use LDAP user but I installed pam_ldap.
> After the test on the WebAdm I downloaded the libopenotp and pam_openotp
>
> I then moved libopenotp-1.0/build_linux32/libopenotp* to */usr/lib*
> And I moved pam-openotp-1.0/build_linux32/pam_openotp.so to */lib/security*
>
> [root@serverauth Benjamin]# ls -l /usr/lib/libopenotp*
> -rw-r--r--. 1 root root 5656068 21 mars  11:56 /usr/lib/libopenotp.a
> lrwxrwxrwx. 1 root root      19 22 mars  10:11 /usr/lib/libopenotp.so ->
> libopenotp.so.1.0.7
> lrwxrwxrwx. 1 root root      19 22 mars  10:11 /usr/lib/libopenotp.so.1 ->
> libopenotp.so.1.0.7
> -rwxr-xr-x. 1 root root 3522754 21 mars  15:37 /usr/lib/libopenotp.so.1.0.7
>
> [root@serverauth Benjamin]# ls -l /lib/security/pam_openotp.so
> -rwxr-xr-x. 1 root root 3518736 21 mars  12:00 /lib/security/pam_openotp.so
>
> here's my conf :
>
> */etc/pam.d/sshd*
> #%PAM-1.0
> auth       sufficient   pam_openotp.so
> server_url="http://192.168.124.19:8080/openotp/" client_id="SSH"
> password_mode=2
> auth       required     pam_sepermit.so
> auth       include    password-auth
> account    required     pam_nologin.so
> account    include    password-auth
> password   include    password-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    required     pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in
> the user context
> session    required     pam_selinux.so open env_params
> session    optional     pam_keyinit.so force revoke
> session    include    password-auth
>
> */etc/ssh/sshd_config
> *PasswordAuthentication yes
> ChallengeResponseAuthentication yes*
> *UsePAM yes
>
> I saw this topichttps://groups.google.com/forum/?fromgroups=#!searchin/rcdevs-technic...
>
> And so I installed pam_ldap and I configure the */etc/pam_ldap.conf* file
>
> host 192.168.124.19
> base dc=local,dc=oceanet,dc=com
>
> Then in the WebAdm I went to my test user profil to add the *PosixAccount*extension
>
> but I still got the same issue when I try to connect with my user named *
> bernard* to my server *192.168.124.19* in ssh. I try to connect from
> 192.168.124.19 to 192.168.124.19 with ssh to avoid the firewall troubles.
> But when I try from an other server this is the same.
>
> My log file */var/log/secure *:
> Mar 22 10:22:03 serverauth sshd[3491]: Invalid user bernard from
> 192.168.124.19
> Mar 22 10:22:03 serverauth sshd[3492]: input_userauth_request: invalid user
> bernard
> Mar 22 10:22:03 serverauth sshd[3492]: Postponed keyboard-interactive for
> invalid user bernard from 192.168.124.19 port 52611 ssh2
> Mar 22 10:22:07 serverauth sshd[3494]: pam_openotp: Invalid PAM user bernard
> Mar 22 10:22:07 serverauth sshd[3492]: Postponed keyboard-interactive/pam
> for invalid user bernard from 192.168.124.19 port 52611 ssh2
> Mar 22 10:22:09 serverauth sshd[3494]: pam_unix(sshd:auth): check pass;
> user unknown
> Mar 22 10:22:09 serverauth sshd[3494]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.124.19
> Mar 22 10:22:09 serverauth sshd[3494]: pam_succeed_if(sshd:auth): error
> retrieving information about user bernard
> Mar 22 10:22:11 serverauth sshd[3491]: error: PAM: User not known to the
> underlying authentication module for illegal user bernard from
> 192.168.124.19
> Mar 22 10:22:11 serverauth sshd[3491]: Failed keyboard-interactive/pam for
> invalid user bernard from 192.168.124.19 port 52611 ssh2
> Mar 22 10:22:11 serverauth sshd[3492]: Postponed keyboard-interactive for
> invalid user bernard from 192.168.124.19 port 52611 ssh2
>
> You can see my command :
> [root@serverauth build_linux32]# ssh bern...@192.168.124.19 -v
> *
> *

Benjamin GUILLON

unread,
Mar 25, 2013, 5:19:25 AM3/25/13
to rcdevs-t...@googlegroups.com
Thanks, it works :)

Benjamin GUILLON

unread,
Mar 26, 2013, 9:37:02 AM3/26/13
to rcdevs-t...@googlegroups.com
I try to install it on a second computer (192.168.124.11) with the same procedure and the same configuration but when I try to connect with the following command :

I got this error in /var/log/secure :

Mar 26 14:26:35 serveuressai sshd[3437]: PAM unable to dlopen(/lib/security/pam_openotp.so): libopenotp.so.1: failed to map segment from shared object: Permission denied
Mar 26 14:26:35 serveuressai sshd[3437]: PAM adding faulty module: /lib/security/pam_openotp.so

I check rights of libopenotp* files and they're the same than on my other computer. It seems that the OTP server don't receive any request (no request in log on webadm interface).

What did i miss ?

Administrators

unread,
Mar 26, 2013, 9:41:11 AM3/26/13
to RCDevs Security Solutions - Technical
Turns off SELinux if it is on.
To turn off completely : edit your grub configuration
-> add selinux=0 to the kernel boot command

On Mar 26, 2:37 pm, Benjamin GUILLON <guillon....@gmail.com> wrote:
> I try to install it on a second computer (192.168.124.11) with the same
> procedure and the same configuration but when I try to connect with the
> following command :
>
> ssh bern...@192.168.124.11

Benjamin GUILLON

unread,
Mar 26, 2013, 10:53:32 AM3/26/13
to rcdevs-t...@googlegroups.com
Thanks again for the quick response, it works. But why should I do that ? I installed both OS with the same CentOS iso so it should be exactly the same configuration and I didn't do the kernel manipulation on my first computer.

Do you know if I can shutdown SElinux with a script ? Because I've to implement the SSH solution on many computers and I was thinking about doing a script with the right configuration to deployed it really fast.

Administrators

unread,
Mar 26, 2013, 12:12:03 PM3/26/13
to RCDevs Security Solutions - Technical
I don't know. There must be something different :-)

Look at this:
http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html
Reply all
Reply to author
Forward
0 new messages