Ssh – Allow both domain users and local users to Centos 7 server

authenticationcentos7pamssh

I need to allow domain users (userid and password) access to a Centos 7 server, as well as local users (SSH key/passwordless).
I have configured sshd_config with both AllowUsers and AllowGroups and assumed that if I added the local user to those it should work.
However, I'm getting an error when local users try and login:

sshd[23906]: pam_sss(sshd:account): Access denied for user datahub_push: 10 (User not known to the underlying authentication module)
sshd[23906]: fatal: Access denied for user datahub_push by PAM account configuration [preauth]

The domain users work just fine and have an entry under AllowGroups in sshd_config.
After some googling there is a suggestion that I need to modify:

/etc/pam.d/sshd

…but I'm not sure of what to change and whether editing that file is best practice? i.e. should I use the authconfig tool instead.

Any help hugely appreciated.

Best Answer

I fixed it myself! I added the following line to

/etc/pam.d/sshd

account    sufficient   pam_localuser.so

After a restart to sshd I am now able to login as a domain user and a local user. Here's the full, working file:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    sufficient   pam_localuser.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

Hope this helps someone else :)

Related Solutions

Linux – Added user to CentOS, Updated sshd_config with AllowUsers, Login denied

Is the uid >= 500? On RHEL/CentOS, the default PAM config has a check for uid. Another possibility could be the password is expired (if you set it as root using passwd <username>) - does a login rather than su to the user reveal any issues there? Does it work using Pubkey authentication rather than a password?

The reason is probably logged in authlog, and troubleshooting without that log data is really just speculation.

Ssh DenyUsers – not working with the RHEL6 setup

Thats the way it works, I've just tested it myself on a RHEL6 server here, all I added to was:

/etc/sshd/sshd_config:

DenyUsers sirch@www.xxx.yyy.zzz

And now only sirch is unable to login only from that address. Sirch can log in from other addresses, and everyone else can log in from all addresses including that one.

Is it possible something else changed?

Best Answer

Related Solutions

Linux – Added user to CentOS, Updated sshd_config with AllowUsers, Login denied

Ssh DenyUsers – not working with the RHEL6 setup

Related Topic