Passwd file question

islipfd19 · October 7, 2015, 11:58pm

Are users that are added to NS expected to be listed in the passwd file? I see that one of the users (myself) wasn’t it. When logging in with SSH, the login succeeds but causes pam authentication errors to be logged in /var/log/secure. Users that have log watchers such as swatch (myself) will receive false positives because the user isn’t in the passwd file.

To work around this, I added the user (myself) manually and reset the password using sudo passwd -f <username>. The ‘-f’ option is used to force the password even though it may be a dictionary password.

When I added the myself to the passwd file, I ensured I used the proper user and group id’s that NS used when the user was created by using the id command.

davidep · October 8, 2015, 6:27am

Users are (also) in the local LDAP instance. Perhaps ssh complains because it does not know that. Could you paste here your log lines?

islipfd19 · October 8, 2015, 9:36am

Oct  7 19:11:35 proteus passwd: pam_unix(passwd:chauthtok): user "james" does not exist in /etc/passwd

Oct 7 19:11:40 proteus passwd: pam_unix(passwd:chauthtok): user “james” does not exist in /etc/passwd
Oct 7 19:11:45 proteus sshd[14802]: pam_unix(sshd:session): session closed for user james
Oct 7 19:13:16 proteus unix_chkpwd[14896]: password check failed for user (james)
Oct 7 19:13:16 proteus sshd[14894]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=juliet-01-wifi.us.nss.net user=james
Oct 7 19:13:17 proteus sshd[14894]: pam_unix(sshd:session): session opened for user james by (uid=0)
Oct 7 19:13:54 proteus unix_chkpwd[14925]: password check failed for user (james)
Oct 7 19:13:54 proteus sudo: pam_unix(sudo:auth): authentication failure; logname=james uid=5001 euid=0 tty=/dev/pts/1 ruser=james rhost= user=james

zamboni · October 8, 2015, 9:40am

please, post the result of

db configuration show sshd

islipfd19 · October 8, 2015, 9:42am

LoginGraceTime=2m
MaxAuthTries=6
PasswordAuthentication=yes
PermitRootLogin=yes
Protocol=2
TCPPort=22
UsePAM=yes
access=public
status=enabled

zamboni · October 8, 2015, 9:45am

strange enough…

all user’s accounts are stored into ldap, passwd file is empty (or, better, contains only system users)

mine server is just setup as yours and I never had such an issue…
you’d tell us more about your setup, it must be investigated…

zamboni · October 8, 2015, 9:46am

P.S: if you want to live without ton’s of logs noise, change it to a non standard port > 1024

islipfd19 · October 8, 2015, 9:52am

I never was an issue before. Everything worked fine up until recently I was forced to change my password, even though I setup the server so I didn’t have to. I wasn’t able to change my password using CLI but I was able to do it at the WebUI. Difference between LDAP and what not. I installed swatch (a log file watching utility) to identify failed login attempts on my NS servers and anything else I’m running *nix on. The NS servers were the only ones giving me a problem, they reported failed login attempts even though I logged on successfully. After looking around I noticed the errors indicated my id wasn’t in the passwd file. I manually added my id, forced changing the password with sudo passwd -f <username> and made it match the one I used that I had setup with NS.

One note I want to make, when I was forced to change my password when attempting to login using SSH; none of the share drives were accessible until I changed my password in the WebUI.

islipfd19 · October 8, 2015, 9:53am

I may just do that, pick a random port instead of the default port of 22.

zamboni · October 8, 2015, 9:54am

you can’t change users password from CLI… you MUST use the web GUI

since all users are stored into ldap, passwd is not supposed to work

davidep · October 8, 2015, 10:02am

Are you sure? AFAIK it relies on PAM which turns the password change request to LDAP!

zamboni · October 8, 2015, 10:03am

well… if it is supposed to do so, we have a bug somewhere, isn’t it?

davidep · October 8, 2015, 10:19am

This is the basic problem: annoying messages from swatch.

Could you post a message from swatch? What does it say?

Does this log line refer to a change password attempt?

 Oct  7 19:11:35 proteus passwd: pam_unix(passwd:chauthtok): user "james" does not exist in /etc/passwd

Was the new password changed successfully?

I suggest reverting your workaround to repeat the tests on a clean environment.

zamboni · October 8, 2015, 10:21am

I would add that OP should tell us all about his setup… what did he install and any kind of customization/custom scripts running

zamboni · October 8, 2015, 10:31am

just made a simple test:

created a new user, gave him a password and ssh access
tested ssh access… working as expected
changed password, as root, from CLI, with

passwd username

re-tested ssh access with new passwrod: working as expected…

no entry for username into /etc/passwd
no noise into log

it seems to me an OP issue… he did something wrong or in the wrong way…

davidep · October 8, 2015, 10:34am

Is it true also for a user recorded in LDAP?

(I’m on mobile)

zamboni · October 8, 2015, 10:35am

your question makes no sense to me, since all user’s accounts are stored ONLY in ldap

davidep · October 8, 2015, 10:44am

Sorry, you’re right!

I was thinking the following

enable shell access to normal user
log in as normal user with SSH
and change user’s password

zamboni · October 8, 2015, 10:45am

we’re just guessing…

OP must give us as much details as he can

islipfd19 · October 8, 2015, 10:58am

I’ll revert my “fix” and retest and provide the log info later today. My issue wasn’t so much the inability to change my password using passwd, it’s that a failed login attempt was logged in ‘/var/log/secure’ log file even though the login was successful.