Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)

Centrify DirectControl ,  

10 October,16 at 11:07 PM

Applies to:


Centrify-enabled OpenSSH 5.3.0 and higher on all platforms
Problem:

After upgrading the Unix Agent to Suite 2016 or Suite 2016.1, root account  cannot login.  Getting 'Permission denied'. 


Cause:


A few changes has been made when Centrify DirectControl Suite 2016 was released which affect Centrify OpenSSH.
The following information is quoted from Centrify DirectControl Release Notes Suite 2016 (attached).
 
Centrify OpenSSH 5.3.0 is upgraded to OpenSSH 7.1p1. Unlike the stock OpenSSH, Centrify OpenSSH still supports SSH version 1 protocol in this version. (Ref: CS-8245)
In addition, there are a few behavior changes from Centrify OpenSSH 5.2.3, which is based on OpenSSH 6.7p1:
o    The default for the sshd_config(5) PermitRootLogin option is changed from "yes" to "prohibit-password".
o    Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time.  This means the user with RSA public key will fail to login now as default.
o    UseDNS now defaults to 'no'.
o    Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time.
o    Support for tcpwrappers/libwrap is removed.

For details, refer to the stock OpenSSH 7.1p1 release notes.
·          A new keyword, 'Krb5ccUnique' is added to Centrify sshd_config to specify whether Centrify sshd should generate a unique credential cache name when storing the Kerberos credentials cache.  The default is “yes” (enabled). If it is “no” (disabled), the old style credential cache name, krb5cc_<uid> or KCM:<uid>, is used. (Ref: CS-8250)
·          Starting with Suite 2016, install.sh no longer installs Centrify OpenSSH by default. To do so, please use the Custom installation option. However, if Centrify OpenSSH is already installed, it will be automatically upgraded. (Ref CS-32389, CS-38266)

Please note that, you will still need to install Centrify OpenSSH on AIX in the following cases:
o    If you use DirectAudit. Otherwise local users will not be audited.
o    If you have local user and AD user with the same name but different UNIX profiles. Centrify OpenSSH will resolve this whereas AIX SSH will not handle this.


Resolution:


To allow root to login, edit /etc/centrifydc/ssh/sshd_config

change 
# PermitRootLogin prohibit-password

to
PermitRootLogin yes

Save the file

Stop and start Centrify OpenSSH:

# service centrify-sshd stop
# service centrify-sshd start


 
Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.