At every login or sudo prompt, the server always rejects the password when it is first supplied, but accepts it the second time. I found this thread which describes what seems to be the same problem, but playing around with my /etc/pam.d/system-auth file along the lines of the solution described there didn't work for me. Changing the first instance of 'try_first_pass' to 'use_first_pass', for example, made login authentication fail continuously, as did removing 'nullok'. Does anyone know what needs to be changed to make the system accept correct passwords the first time around?
/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Edit: In response to a comment, here's /etc/pam.d/login:
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
Let me add, all I know about authorization is what I've been able to google in the last hour or so–I'm tackling this problem out of desperation because our IT guy hasn't. So please pitch your answers accordingly. I have a reasonable general familiarity with Linux.
Edit: Responding to another comment, here is what shows up in /var/log/secure during a typical login attempt (where the password was entered correctly both times). Info like server name and IP has been changed.
Oct 28 07:37:41 myserver sshd[944]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=asus-laptop-abc.def.ghi.edu user=matt
Oct 28 07:37:41 myserver sshd[944]: pam_ldap: ldap_starttls_s: Operations error
Oct 28 07:37:43 myserver sshd[944]: Failed password for matt from 123.456.78.90 port 12345 ssh2
Oct 28 07:37:47 myserver sshd[944]: pam_sss(sshd:account): Access denied for user matt: 10 (User not known to the underlying authentication module)
Oct 28 07:37:47 myserver sshd[944]: Accepted password for matt from 123.456.78.90 port 12345 ssh2
Oct 28 07:37:47 myserver sshd[944]: pam_unix(sshd:session): session opened for user matt by (uid=0)
Interestingly, the above is different from what happens if I enter a genuinely incorrect password the first time, in that case there is this additional line after the first pam_ldap
call:
Oct 28 08:13:13 myserver sshd[1054]: pam_ldap: error trying to bind as user "uid=matt,ou=People,dc=abc,dc=ghi,dc=edu" (Invalid credentials)
So the system knows the credentials are right in the former case, but fails the login anyway?! And here is what happens when I call use sudo, which also forces a double login (in this case to use nano to read /var/log/secure):
Oct 28 08:13:27 myserver sudo: pam_unix(sudo:auth): authentication failure; logname=matt uid=1000 euid=0 tty=/dev/pts/2 ruser=matt rhost= user=matt
Oct 28 08:13:32 myserver sudo: matt : TTY=pts/2 ; PWD=/home_dir/home/matt ; USER=root ; COMMAND=/bin/nano /var/log/secure
Edit: This problem doesn't exist when I login as root! It accepts the password on the first try, /var/log/secure looks like this, which I presume is normal:
Oct 29 14:25:58 myserver sshd[7074]: Accepted password for root from 123.456.78.90 port 12345 ssh2
Oct 29 14:25:58 myserver sshd[7074]: pam_unix(sshd:session): session opened for user root by (uid=0)
Best Answer
I don't have enough rep to comment it seems, so this is a bit of a shot in the dark attempt at an answer.
I have to wonder if this part of your log is indicating the culprit. My suspicion is that your ldap config is mishandling tls in some way that causes the connection to fail.
Notice the responses from each module:
So what we have here is ldap saying it failed due to error, sss saying it doesn't know who you are, and local auth saying successful.
Directions to consider: