DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th May 2008
cmdba cmdba is offline
New User
 
Join Date: May 2008
Posts: 3
Thanked 0 Times in 0 Posts
Unhappy New Accounts Unable to Authenticate

Hello All,

I'm experiencing a problem where newly created accounts are unable to authenticate when logging in with a new SSH session - even though I can 'su -' to them from another luser account (password works).

Environment: FreeBSD 6.2-RELEASE

This seems to have started around the time I added a new group to /etc/group and assigned it a new group number.

newgroup:*:1006:www,otrs

When I looked at the /etc/password entry for new accounts, the uid/gid assignment was out of sync, like this:

test1:*:1007:1008:test1:/home/test1:/bin/tcsh
test2:*:1009:1010:test2:/home/test2:/bin/tcsh


(I was using default values (just hitting enter) for the assignment of user/group during the adduser process.)

I thought this might have something to do with it, so I deleted the new accounts (this was only happening for accounts created after the new group 'newgroup' was added). I then deleted the group 'newgroup'. When I then added new users, the gid/uid entries in /etc/password had the same values as I would expect:

test1:*:1007:1007:test1:/home/test1:/bin/tcsh
test2:*:1008:1008:test2:/home/test2:/bin/tcsh


... but I still have the same problem with logging in - I can 'su - ' to the new account from a pre-existing (non-root) luser account, but cannot log in fresh with the new user itself.

When I try to log in as the new user, I get 'Access Denied'.
/var/log/messages shows:
sshd[59417]: error: PAM: authentication error for illegal user test1 from 11.22.33.44

Anyone have a clue what's going on here?

Thanks,

Shawn
Reply With Quote
  #2   (View Single Post)  
Old 26th May 2008
Dazhelpwiz Dazhelpwiz is offline
Port Guard
 
Join Date: May 2008
Location: Townsville, Australia
Posts: 34
Thanked 2 Times in 2 Posts
Default

Check your /etc/login.access file.
Reply With Quote
  #3   (View Single Post)  
Old 26th May 2008
cmdba cmdba is offline
New User
 
Join Date: May 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default New Accounts Unable to Authenticate

/etc/login.access has not been touched.
Still a "virgin" file - everything commented out.
Reply With Quote
  #4   (View Single Post)  
Old 26th May 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

No idea, my friend, but I've got a few ideas.

First, could you check your /etc/ssh/sshd_config file for any "AllowUsers", "DenyUsers",, "AllowGroup" or "DenyGroup" entries? (Or any other "Allow..." or "Deny>>" entries that sound suspicious.

I have a feeling that there are some other deny files that ssh checks, but cannot find them at the moment.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #5   (View Single Post)  
Old 26th May 2008
cmdba cmdba is offline
New User
 
Join Date: May 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default

Thanks robbak!

The /etc/ssh/sshd_config was the key.
I had "AllowGroups" set to only a couple of groups, and I had not added the new accounts to either of them in the 'adduser' process. It had been quite a while since I added a new account, and I'd forgotten about my restrictive AllowGroups policy in the meantime. I'll make a memo of it in my system documentation so as not to forget next time!!

Thanks so much for the helpful pointer,

Shawn
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't passwd on all accounts anymore ck2323 FreeBSD General 1 7th October 2009 03:28 AM
unable to log in delboy FreeBSD Installation and Upgrading 5 31st August 2008 11:39 AM
Unable to hear any sound ebzzry FreeBSD General 26 29th July 2008 06:39 PM
Unable to login squirrelmail satimis Other BSD and UNIX/UNIX-like 3 28th May 2008 04:21 PM
unable to read messages ocicat Feedback and Suggestions 1 3rd May 2008 08:01 AM


All times are GMT. The time now is 12:15 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick