KB-4228: Nobody can ssh on RHEL4 (64-bit only) server
Applies to:
Centrify-enabled OpenSSH-6.2 (with suite 2014 or earlier) on RHEL 4.x (64-bit) servers only
Problem:
After installing the standard suite which installs Centrify-enabled OpenSSH by default, nobody (AD or root or local user) can ssh to the server.
The following lines (snippets) are observed in system logs
...PAM unable to dlopen (/lib64/security/system-auth)
...PAM [dlerror : /lib64/security/system: cannot open shared object file: No such file or directory]
Cause:
The Centrify openssh installation post-install script in the RPM fixes /etc/pam.d/sshd. It looks for /lib/security/pam_stack.so.
It should check /lib64/security for it as well. It does not and therefore the issue
The net consequence is it put in the wrong pam.d/sshd for RHEL4, thus blocking login.
Workaround:
If its too late, meaning nobody can login including root, local or AD users, use console and follow the below steps as root.
The below steps are applicable even before the issue happens.
1) Customers need to temporarily create a /lib/security/pam_stack.so using touch command.
2) The execution bit should be turned on. chmod +x /lib/security/pam_stack.so
3) Re-Install Centrify-OpenSSH
4) Go to step 1) and remove the file #rm /lib/security/pam_stack.so
Note: Centrify does not use it, we just check for its presence - to configure /etc/pam.d/sshd properly.
Resolution:
This is targeted to be fixed in a future release of the product. The fix is the installer script will check the presence of the 64-bit pam library in addition to 32-bit