Passwd file question

Are users that are added to NS expected to be listed in the passwd file? I see that one of the users (myself) wasn’t it. When logging in with SSH, the login succeeds but causes pam authentication errors to be logged in /var/log/secure. Users that have log watchers such as swatch (myself) will receive false positives because the user isn’t in the passwd file.

To work around this, I added the user (myself) manually and reset the password using sudo passwd -f <username>. The ‘-f’ option is used to force the password even though it may be a dictionary password.

When I added the myself to the passwd file, I ensured I used the proper user and group id’s that NS used when the user was created by using the id command.

Users are (also) in the local LDAP instance. Perhaps ssh complains because it does not know that. Could you paste here your log lines?

Oct  7 19:11:35 proteus passwd: pam_unix(passwd:chauthtok): user "james" does not exist in /etc/passwd

Oct 7 19:11:40 proteus passwd: pam_unix(passwd:chauthtok): user “james” does not exist in /etc/passwd
Oct 7 19:11:45 proteus sshd[14802]: pam_unix(sshd:session): session closed for user james
Oct 7 19:13:16 proteus unix_chkpwd[14896]: password check failed for user (james)
Oct 7 19:13:16 proteus sshd[14894]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= user=james
Oct 7 19:13:17 proteus sshd[14894]: pam_unix(sshd:session): session opened for user james by (uid=0)
Oct 7 19:13:54 proteus unix_chkpwd[14925]: password check failed for user (james)
Oct 7 19:13:54 proteus sudo: pam_unix(sudo:auth): authentication failure; logname=james uid=5001 euid=0 tty=/dev/pts/1 ruser=james rhost= user=james

please, post the result of

db configuration show sshd

strange enough…

all user’s accounts are stored into ldap, passwd file is empty (or, better, contains only system users)

mine server is just setup as yours and I never had such an issue…
you’d tell us more about your setup, it must be investigated…

P.S: if you want to live without ton’s of logs noise, change it to a non standard port > 1024

I never was an issue before. Everything worked fine up until recently I was forced to change my password, even though I setup the server so I didn’t have to. I wasn’t able to change my password using CLI but I was able to do it at the WebUI. Difference between LDAP and what not. I installed swatch (a log file watching utility) to identify failed login attempts on my NS servers and anything else I’m running *nix on. The NS servers were the only ones giving me a problem, they reported failed login attempts even though I logged on successfully. After looking around I noticed the errors indicated my id wasn’t in the passwd file. I manually added my id, forced changing the password with sudo passwd -f <username> and made it match the one I used that I had setup with NS.

One note I want to make, when I was forced to change my password when attempting to login using SSH; none of the share drives were accessible until I changed my password in the WebUI.

I may just do that, pick a random port instead of the default port of 22.

you can’t change users password from CLI… you MUST use the web GUI

since all users are stored into ldap, passwd is not supposed to work

Are you sure? AFAIK it relies on PAM which turns the password change request to LDAP!

well… if it is supposed to do so, we have a bug somewhere, isn’t it?

This is the basic problem: annoying messages from swatch.

Could you post a message from swatch? What does it say?

Does this log line refer to a change password attempt?

 Oct  7 19:11:35 proteus passwd: pam_unix(passwd:chauthtok): user "james" does not exist in /etc/passwd

Was the new password changed successfully?

I suggest reverting your workaround to repeat the tests on a clean environment.

I would add that OP should tell us all about his setup… what did he install and any kind of customization/custom scripts running

just made a simple test:

created a new user, gave him a password and ssh access
tested ssh access… working as expected
changed password, as root, from CLI, with

passwd username

re-tested ssh access with new passwrod: working as expected…

no entry for username into /etc/passwd
no noise into log

it seems to me an OP issue… he did something wrong or in the wrong way…

Is it true also for a user recorded in LDAP?

(I’m on mobile)

your question makes no sense to me, since all user’s accounts are stored ONLY in ldap :smile:

Sorry, you’re right! :blush:

I was thinking the following

  • enable shell access to normal user
  • log in as normal user with SSH
  • and change user’s password

we’re just guessing…

OP must give us as much details as he can

1 Like

I’ll revert my “fix” and retest and provide the log info later today. My issue wasn’t so much the inability to change my password using passwd, it’s that a failed login attempt was logged in ‘/var/log/secure’ log file even though the login was successful.