-
Title
Can not sshd into the system, other method of authentication work. How to turn on sshd in debug mode. -
Description
Can not sshd into the system with active directory account. Oher methods of authentication such as su, telnet, ftp,console are working with Active Directory account.
su - <username> and then enter password is successful.
vastool -u <username> auth reports successful.
-
Resolution
1 - Ensure the sshd version you are running is compiled with Pam libraries. You can do this by issuing the following command:
ldd <path to sshd binary> command and then look for pam library in the output.
2 - Ensure pam setting in the sshd_config file is enabled.
In some cases this will be UsePAM yes setting.
3 - Retart sshd
If this does not work, please follow the below instructions to collect data for Quest Techical Support and open a Service Request:
1 - You will need 2 windows open. Please note that path to sshd may vary on system please change to correct path.
a) Start SSH daemon in debugging and log to file
/usr/sbin/sshd -ddd -p 2222 2>&1 | tee /tmp/vas_sshd.log
Once the screen stops scrolling follow on to the next step in another window
b) Attempt to log into the SSH daemon running in debug mode on port 2222:
/usr/bin/ssh -vvv -p 2222 <vasuser>@localhost 2>&1 | tee /tmp/vas_ssh.log
2 - Please run as root the following script: /opt/quest/libexec/vas/scripts/vas_snapshot.sh
It will create vas_snapshot.(machine-name).tar.gz file in your /tmp directory.3 -Attach the following files to the Service Request you opened: /tmp/vas_ssh.log, /tmp/vas_sshd.log, vas_snapshot.(machine-name).tar.gz file and any syslog message that are relevant.
-
Additional Information
In some SSH versions ( openSSH pre-3.9, and SSH2 ( Sun's SSH 1.0/1 ) known ), password authentication ( as apposed to keyboard-interactive ) was not fully PAM compliant.
To force the system to use keyboard interactive instead of password edit the sshd_config and set either UsePassword No or PasswordAuthentication No depending on your sshd version