Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4228: Nobody can ssh on RHEL4 (64-bit only) server

Authentication Service ,  

12 April,16 at 11:13 AM

KB-4228: Nobody can ssh on RHEL4 (64-bit only) server
 
Applies to:
 
Centrify-enabled OpenSSH-6.2 (with suite 2014 or earlier) on RHEL 4.x (64-bit) servers only
 
Problem:
 
After installing the standard suite which installs Centrify-enabled OpenSSH by default, nobody (AD or root or local user) can ssh to the server.

The following lines (snippets) are observed in system logs

...PAM unable to dlopen (/lib64/security/system-auth)
...PAM [dlerror : /lib64/security/system: cannot open shared object file: No such file or directory]

 
Cause:
 
The Centrify openssh installation post-install script in the RPM fixes /etc/pam.d/sshd. It looks for /lib/security/pam_stack.so.
 
It should check /lib64/security for it as well. It does not and therefore the issue
 
The net consequence is it put in the wrong pam.d/sshd for RHEL4, thus blocking login. 
 
Workaround:
 
If its too late, meaning nobody can login including root, local or AD users, use console and follow the below steps as root. 
 
The below steps are applicable even before the issue happens.
 
1) Customers need to temporarily create a /lib/security/pam_stack.so using touch command.
 
2) The execution bit should be turned on. chmod +x /lib/security/pam_stack.so 
 
3) Re-Install Centrify-OpenSSH
 
4) Go to step 1) and remove the file #rm /lib/security/pam_stack.so
 
Note: Centrify does not use it, we just check for its presence - to configure /etc/pam.d/sshd properly.
 
Resolution:
 
This is targeted to be fixed in a future release of the product. The fix is the installer script will check the presence of the 64-bit pam library in addition to 32-bit
 

Related Articles

 articleCentrify's Privileged Identity Management Solution for Big Data article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III articleIdentity and Access Management for Hortonworks Data Platform article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II article[Labs] Installing Centrify Privilege Service + High-Availability with Windows Failover Clustering articleHow to Use DirectControl to Facilitate Kerberos-based Oracle SSO on Unix and Linux articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out?