Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4228: Nobody can ssh on RHEL4 (64-bit only) server

Centrify DirectControl ,  

12 April,16 at 11:13 AM

KB-4228: Nobody can ssh on RHEL4 (64-bit only) server
 
Applies to:
 
Centrify-enabled OpenSSH-6.2 (with suite 2014 or earlier) on RHEL 4.x (64-bit) servers only
 
Problem:
 
After installing the standard suite which installs Centrify-enabled OpenSSH by default, nobody (AD or root or local user) can ssh to the server.

The following lines (snippets) are observed in system logs

...PAM unable to dlopen (/lib64/security/system-auth)
...PAM [dlerror : /lib64/security/system: cannot open shared object file: No such file or directory]

 
Cause:
 
The Centrify openssh installation post-install script in the RPM fixes /etc/pam.d/sshd. It looks for /lib/security/pam_stack.so.
 
It should check /lib64/security for it as well. It does not and therefore the issue
 
The net consequence is it put in the wrong pam.d/sshd for RHEL4, thus blocking login. 
 
Workaround:
 
If its too late, meaning nobody can login including root, local or AD users, use console and follow the below steps as root. 
 
The below steps are applicable even before the issue happens.
 
1) Customers need to temporarily create a /lib/security/pam_stack.so using touch command.
 
2) The execution bit should be turned on. chmod +x /lib/security/pam_stack.so 
 
3) Re-Install Centrify-OpenSSH
 
4) Go to step 1) and remove the file #rm /lib/security/pam_stack.so
 
Note: Centrify does not use it, we just check for its presence - to configure /etc/pam.d/sshd properly.
 
Resolution:
 
This is targeted to be fixed in a future release of the product. The fix is the installer script will check the presence of the 64-bit pam library in addition to 32-bit
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-7120: Suite 2016.1 Deployment Manager is reporting unsupported CentOS 6.8 articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-4303: How to troubleshoot SSH Single-Sign-On (SSO) and nested SSO? articleKB-3285: How to Collect Debug Logs from an OpenSSH Server articleKB-7070: ssh to server failed with 'Too many authentication failures for <user>' articleKB-2067: Why UID/GID is set to "nobody" when new files created via NFSv4? articleKB-2481: How to configure stock SSH for Kerberos