Passwd file question

(JamesMillar) #1

Are users that are added to NS expected to be listed in the passwd file? I see that one of the users (myself) wasn’t it. When logging in with SSH, the login succeeds but causes pam authentication errors to be logged in /var/log/secure. Users that have log watchers such as swatch (myself) will receive false positives because the user isn’t in the passwd file.

To work around this, I added the user (myself) manually and reset the password using sudo passwd -f <username>. The ‘-f’ option is used to force the password even though it may be a dictionary password.

When I added the myself to the passwd file, I ensured I used the proper user and group id’s that NS used when the user was created by using the id command.

(Davide Principi) #2

Users are (also) in the local LDAP instance. Perhaps ssh complains because it does not know that. Could you paste here your log lines?

(JamesMillar) #3
Oct  7 19:11:35 proteus passwd: pam_unix(passwd:chauthtok): user "james" does not exist in /etc/passwd

Oct 7 19:11:40 proteus passwd: pam_unix(passwd:chauthtok): user “james” does not exist in /etc/passwd
Oct 7 19:11:45 proteus sshd[14802]: pam_unix(sshd:session): session closed for user james
Oct 7 19:13:16 proteus unix_chkpwd[14896]: password check failed for user (james)
Oct 7 19:13:16 proteus sshd[14894]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= user=james
Oct 7 19:13:17 proteus sshd[14894]: pam_unix(sshd:session): session opened for user james by (uid=0)
Oct 7 19:13:54 proteus unix_chkpwd[14925]: password check failed for user (james)
Oct 7 19:13:54 proteus sudo: pam_unix(sudo:auth): authentication failure; logname=james uid=5001 euid=0 tty=/dev/pts/1 ruser=james rhost= user=james

(Stefano) #4

please, post the result of

db configuration show sshd

(JamesMillar) #5

(Stefano) #6

strange enough…

all user’s accounts are stored into ldap, passwd file is empty (or, better, contains only system users)

mine server is just setup as yours and I never had such an issue…
you’d tell us more about your setup, it must be investigated…

(Stefano) #7

P.S: if you want to live without ton’s of logs noise, change it to a non standard port > 1024

(JamesMillar) #8

I never was an issue before. Everything worked fine up until recently I was forced to change my password, even though I setup the server so I didn’t have to. I wasn’t able to change my password using CLI but I was able to do it at the WebUI. Difference between LDAP and what not. I installed swatch (a log file watching utility) to identify failed login attempts on my NS servers and anything else I’m running *nix on. The NS servers were the only ones giving me a problem, they reported failed login attempts even though I logged on successfully. After looking around I noticed the errors indicated my id wasn’t in the passwd file. I manually added my id, forced changing the password with sudo passwd -f <username> and made it match the one I used that I had setup with NS.

One note I want to make, when I was forced to change my password when attempting to login using SSH; none of the share drives were accessible until I changed my password in the WebUI.

(JamesMillar) #9

I may just do that, pick a random port instead of the default port of 22.

(Stefano) #10

you can’t change users password from CLI… you MUST use the web GUI

since all users are stored into ldap, passwd is not supposed to work

(Davide Principi) #11

Are you sure? AFAIK it relies on PAM which turns the password change request to LDAP!

(Stefano) #12

well… if it is supposed to do so, we have a bug somewhere, isn’t it?

(Davide Principi) #13

This is the basic problem: annoying messages from swatch.

Could you post a message from swatch? What does it say?

Does this log line refer to a change password attempt?

 Oct  7 19:11:35 proteus passwd: pam_unix(passwd:chauthtok): user "james" does not exist in /etc/passwd

Was the new password changed successfully?

I suggest reverting your workaround to repeat the tests on a clean environment.

(Stefano) #14

I would add that OP should tell us all about his setup… what did he install and any kind of customization/custom scripts running

(Stefano) #15

just made a simple test:

created a new user, gave him a password and ssh access
tested ssh access… working as expected
changed password, as root, from CLI, with

passwd username

re-tested ssh access with new passwrod: working as expected…

no entry for username into /etc/passwd
no noise into log

it seems to me an OP issue… he did something wrong or in the wrong way…

(Davide Principi) #16

Is it true also for a user recorded in LDAP?

(I’m on mobile)

(Stefano) #17

your question makes no sense to me, since all user’s accounts are stored ONLY in ldap :smile:

(Davide Principi) #18

Sorry, you’re right! :blush:

I was thinking the following

  • enable shell access to normal user
  • log in as normal user with SSH
  • and change user’s password

(Stefano) #19

we’re just guessing…

OP must give us as much details as he can

(JamesMillar) #20

I’ll revert my “fix” and retest and provide the log info later today. My issue wasn’t so much the inability to change my password using passwd, it’s that a failed login attempt was logged in ‘/var/log/secure’ log file even though the login was successful.