[CentOS] Authentication Problems

Wed Feb 16 14:13:34 UTC 2011
James Bensley <jwbensley at gmail.com>

Thanks to all for your various replies....

On 16 February 2011 12:50, Nico Kadel-Garcia <nkadel at gmail.com> wrote:
>>> Check the /etc/shadow and /etc/group for consistent numbers of
>>> entries, and /etc/group and /etc/gshadow.
>> Do you mean duplicate entries? If so there are none of those.
> No, I mean the sam enumber of entries.
>     wc /etc/shadow /etc/passwd

>     cut -f1 -d: /etc/shasow /etc/passwd | sort | uniq -c

This came back 2 for each user, so no differences.

> And actually go line by line down these files, checking for matching
> usernames, correct layout of ':' separated entries, correct numbers of
> entries, and blank lines. I've seen serous problems where one or ther
> other of these files were corrupted by something, especially badly
> written installer scripts that only edited /etc/passwd directly and
> ignored /etc/shadow, or which mishandled "$" entries in newly created
> encrypted passwords.

I'm now going through this although its all looking intact.

>>> Do you have other users who
>>> can still log in or not?
>> There is only the root and web dev user on this box.
> Are you *sure*? Can you back this thing up for review and rebuilding?
> It might be safest to image it for analysis and simply rebuild it.

Yes, but I like to fix things. If I can't fix this I will restore the
box but for now I'm going to continue troubleshooting. The root user
and web dev user are the only two that have  hash value in the passwd
file so I would expect this to mean they are the only two users than
can actually log in?

On 16 February 2011 12:59, David Sommerseth <dazo at users.sourceforge.net> wrote:>
> - Could the account have become locked somehow?  (passwd -u $user)  Or
> could the account have become expired?

[root at server ~]# passwd -u futuread.
Unlocking password for user futuread.
paswd: Success.

But I still get access denied.

> - Are the permissions strict on the users ~/.ssh?  (0700 on the directory,
> and 0600 on any files inside that directory - like authorized_keys ...)

If I remove execute permissions form the web dev home folder a website
will stop working, its within that users home folder. I.e. virtual
site1 is inside the home folder of user 'virtual1' and virtual site2
is within the home folder of the user 'virtual2'. The web dev chap
logins in as say virtual1 and edits all sites with that account. There
is no .ssh subfolder in the home folder? Could this be the problem? If
he saw it in there and deleted it perhaps (although I imagine it would
just be recreated if needed?).

> - Is SELinux in Enforced mode and are the SELinux file context correct on
> /home?  (restorecon -rv /home)

[root at server ~]# getenforce

> Also double check /var/log/messages, /var/log/secure and
> /var/log/audit/audit.log carefully when trying to log in as that user.

/var/log/audit is empty. Is this normal, this VPS comes initially
configured from the provider? /var/log/messages and /var/log/secure
both just show a generic invalid login attemp:

Feb 16 13:53:58 server1882 sshd(pam_unix)[16225]: authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=

Feb 16 13:53:50 server1882 sshd[16225]: Failed password for futuread
from ::ffff: port 1536 ssh2

On 16 February 2011 13:08, Kwan Lowe <kwan.lowe at gmail.com> wrote:
> A lot of things can cause this, including a full /var filesystem :/

Nope, only %75 full (60GB filesystem), there's some room left in her yet ;)

Thanks everyone for your help so far its really appreciated.


There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?