Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2928: Stock OpenSSH 1.59 closes connection on Redhat ES3

Centrify DirectControl ,  

12 April,16 at 11:10 AM

Applies to: All versions of Centrify DirectControl on RHEL ES 5.3 platforms only
 
Question:
 
When logging in as any AD user, stock SSH closes connection upon entering username. The SSH client does not matter. The roles and rights are in place, as seen in dzinfo output. adquery user -A shows the user is zone-enabled etc. Centrify-Enabled OpenSSH works fine, but not stock OpenSSHd. Local accounts can login fine.
 
Snippets of the log below show that Centrify's PAM module passed through and that there was no duplicate setcred call:
 
Oct 20 12:01:28 detv15 adclient[12566]: DEBUG <fd:18 sshd(8770)> client.sshd -> pam_sm_authenticate
Oct 20 12:01:29 detv15 adclient[12566]: DEBUG <fd:18 sshd(8770)> client.sshd <- pam_sm_authenticate, result=PAM_SUCCESS(0)
Oct 20 12:01:29 detv15 adclient[12566]: DEBUG <fd:27 sshd(8770)> client.sshd -> pam_sm_acct_mgmt
Oct 20 12:01:29 detv15 adclient[12566]: DEBUG <fd:27 sshd(8770)> client.sshd <- pam_sm_acct_mgmt, result=PAM_SUCCESS(0)
Oct 20 12:01:29 detv15 adclient[12566]: DEBUG <fd:18 sshd(8773)> client.sshd -> pam_sm_open_session
Oct 20 12:01:29 detv15 adclient[12566]: DEBUG <fd:18 sshd(8773)> client.sshd <- pam_sm_open_session, result=PAM_SUCCESS(0)
Oct 20 12:01:29 detv15 adclient[12566]: DEBUG <fd:18 sshd(8773)> client.sshd -> pam_sm_setcred
Oct 20 12:01:29 detv15 adclient[12566]: DEBUG <fd:18 sshd(8773)> client.sshd <- pam_sm_setcred, result=PAM_SUCCESS(0)
Oct 20 12:01:29 detv15 adclient[12566]: DEBUG <fd:18 sshd(8773)> client.sshd -> pam_sm_close_session
Oct 20 12:01:29 detv15 adclient[12566]: DEBUG <fd:18 sshd(8773)> client.sshd <- pam_sm_close_session, result=PAM_SUCCESS(0)
 
However, in the sshd trace, it showed two setcred calls and it failed as well:
 
debug1: PAM establishing creds
debug1: PAM establishing creds
PAM setcred failed[25]: Please ignore underlying account module
debug1: Calling cleanup 0x806f1d0(0x0)
debug1: Calling cleanup 0x8063b20(0x0)
debug1: Cannot delete credentials[25]: Please ignore underlying account module
 
 
Answer:
 
This is an Openssh 3.6p1 issue, which is too old (missing fixes).
 
The issue is that it made an extra setcred() call without setting the PAM_ESTABLISH_CRED flag in the request. 
In this case, Centrify returned PAM_IGNORE(25) - following PAM specification since it does not know how to handle this. 
 
sshd then reports:
 
debug1: PAM establishing creds
PAM setcred failed[25]: Please ignore underlying account module
debug1: Calling cleanup 0x806f1d0(0x0)
debug1: Calling cleanup 0x8063b20(0x0)
debug1: Cannot delete credentials[25]: Please ignore underlying account module
debug1: Calling cleanup 0x8063b20(0x0)
 
..before apparently closing the connection. 
 
It is recommended to upgrade RedHat stock OpenSSH to a later version, or use the one provided by Centrify (5.9p1). 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.