Getting Access Denied from PAM in SSH, but not on console
I am getting a strange issue where I suddenly found myself unable to authenticate with PAM when I am logged in through SSH, but those same logins and passwords work when logged in through the LISH console. When disabling password authentication in SSH and using SSH Key authentication instead (I normally use Public Key + Password), I can login, and then get the same error when I try to SU in the SSH sessnion, but agian am able to SU when I am on console. I get this error message in auth.log:
Mar 24 10:58:37 vps su[17064]: pam_unix(su:auth): authentication failure; logname=[user here] uid=[UID Here] euid=0 tty=/dev/pts/0 ruser=[user here] rhost= user=root
Mar 24 10:58:39 vps su[17064]: pam_authenticate: Permission denied
Mar 24 10:58:39 vps su[17064]: FAILED su for root by [user here]
The pam_unix auth line from the relevant pam.d file (I use gentoo, which uses an extensive set of includes in PAM to go from su or sshd to eventually end at system-auth) is:
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
A couple of points I've looked into when searching forums and the internet for this
- There is no reference to securetty anywhere in pam.d and I have tried adding pts/0 to securetty but with no effect
- Access.conf and groups.conf in /etc/security are the default files -- completely commented out
- the users are in the 'wheel' group
- When doing a succesfull su from console, the output of auth.log looks like this:
Mar 24 11:03:44 vps su[17180]: + /dev/ttyS0 root:[user name here]
Mar 24 11:03:44 vps su[17180]: pam_unix(su:session): session opened for user [user name here] (uid=[uid here]) by root(uid=0)
Mar 24 11:03:56 vps su[17194]: Successful su for root by [user name here]
2 Replies
Apologies - I've discovered the issue. In my SSHD config, for almost a year now i have had
PasswordAuthentication no
when used with public key authentication, I could still use both the password and the publickey to login. However, after a recent openssh update, it appears this is being passed to PAM and causing PAM to deny outright any attempt at password-based authentication (i.e. SU)
Hopefully this can help someone else some day who has the same issue@