On a VM I am initializing I am able to log in as one non-root user (admin
) but not another (tbbscraper
) over SSH with public key authentication. The only error message I can find in any log file is
Sep 18 17:21:04 [REDACTED] sshd[18942]: fatal: Access denied for user tbbscraper by PAM account configuration [preauth]
On the client side, the syndrome is
$ ssh -v -i [REDACTED] tbbscraper@[REDACTED]
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: [REDACTED]
debug1: Authentications that can continue: publickey
debug1: Trying private key: [REDACTED]
debug1: read PEM private key done: type RSA
Connection closed by [REDACTED]
Changing 'tbbscraper' to 'admin' allows a successful login: debug1: Authentication succeeded (publickey).
appears instead of the "Connection closed" message.
This doesn't seem to be a permissions problem…
# for x in admin tbbscraper
> do ls -adl /home/$x /home/$x/.ssh /home/$x/.ssh/authorized_keys
> done
drwxr-xr-x 3 admin admin 4096 Sep 18 17:19 /home/admin
drwx------ 2 admin admin 4096 Sep 18 16:53 /home/admin/.ssh
-rw------- 1 admin admin 398 Sep 18 17:19 /home/admin/.ssh/authorized_keys
drwxr-xr-x 3 tbbscraper tbbscraper 4096 Sep 18 17:18 /home/tbbscraper
drwx------ 2 tbbscraper tbbscraper 4096 Sep 18 17:18 /home/tbbscraper/.ssh
-rw------- 1 tbbscraper tbbscraper 398 Sep 18 17:18 /home/tbbscraper/.ssh/authorized_keys
# cmp /home/{admin,tbbscraper}/.ssh/authorized_keys ; echo $?
0
… nor a PAM-level access control problem …
# egrep -v '^(#|$)' /etc/security/*.conf
#
… so none of the existing answers to similar questions would seem to apply. The only other piece of evidence I've got is:
root@[REDACTED] # su - admin
admin@[REDACTED] $
but
root@[REDACTED] # su - tbbscraper
su: Authentication failure
(Ignored)
tbbscraper@[REDACTED] $
which suggests some larger-scale PAM issue, but I can't find anything obviously wrong with the stuff in /etc/pam.d
. Any ideas?
The VM is an EC2 instance, OS is Debian 7.1 (Amazon's off-the-shelf AMI).
Best Answer
After all that, it turns out to have been a one-character typo in
/etc/shadow
. Spot the difference:That's right, there are two colons after the exclamation point on the
tbbscraper
line. That shoves all the fields over one and makes PAM think that the account expired on January 8, 1970.