You are not logged in.
I'm trying to debug an issue with OpenSSH, in which a user (user1) can login, but another (user2) can't (from the same client). Both used to login without issue.
The main error message seems to be:
debug3: auth_shadow_acctexpired: today 19865 sp_expire -1 days left -19866
debug3: account expiration disabled
User {user2} not allowed because account is lockedI've checked `/etc/shadow` (password expiry) and `faillock` (blocking log in), none of them seem to be the issue.
`/etc/shadow`'s config for {user1} is the same as for {user2}. Additionally, I've tried modifying `/etc/shadow`'s user line to `{user2}:!::0::7:::` (no password, no aging). I've also tried `usermod -U {user2}` and `usermod -e 3000-01-01 pacman`.
`faillock` shows no entries and `/var/run/faillock/{user2}` does not exist.
Any suggestions of what can be going wrong? Thanks in advance.
My sshd configuration is (both users are in the `sshusers` since long ago):
# cat /etc/ssh/sshd_config | grep -v \#
AuthenticationMethods publickey
LoginGraceTime 30s
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
Subsystem sftp /usr/lib/ssh/sftp-server
AllowGroups sshusers
# cat /etc/ssh/sshd_config.d/*
# sshd_config defaults on Arch Linux
KbdInteractiveAuthentication no
UsePAM yes
PrintMotd noServer debug logs:
[...]
debug1: userauth-request for user {user2} service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow: entering [preauth]
debug3: mm_request_send: entering, type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect: entering, type 9 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow: entering
debug2: parse_server_config_depth: config reprocess config len 3446
debug3: auth_shadow_acctexpired: today 19865 sp_expire -1 days left -19866
debug3: account expiration disabled
User {user2} not allowed because account is locked
debug3: auth2_setup_methods_lists: checking methods
debug1: authentication methods list 0: publickey
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
debug3: mm_request_send: entering, type 9
debug2: monitor_read: 8 used once, disabling now
debug3: process_channel_timeouts: setting 0 timeouts [preauth]
debug3: channel_clear_timeouts: clearing [preauth]
debug3: mm_inform_authserv: entering [preauth]
debug3: mm_request_send: entering, type 4 [preauth]
debug1: kex_server_update_ext_info: Sending SSH2_MSG_EXT_INFO [preauth]
debug3: send packet: type 7 [preauth]
debug3: auth2_setup_methods_lists: checking methods [preauth]
debug1: authentication methods list 0: publickey [preauth]
debug3: authmethod_lookup: method none not allowed by AuthenticationMethods [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth]
debug3: send packet: type 51 [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user {user2} service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug2: userauth_pubkey: invalid user {user2} querying public key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPGpPOIurgz/DVdFO9K9/0bKGi1lhsawlXqfH6WIDeza [preauth]
debug1: userauth_pubkey: publickey test pkalg ssh-ed25519 pkblob ED25519 SHA256:FpPo6lzge9YaFrrrO8txaYXceUVqqfRcUf6ddPIaGck [preauth]
debug2: userauth_pubkey: disabled because of invalid user [preauth]
debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 0.063ms, delaying 5.934ms (requested 5.997ms) [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth]
debug3: send packet: type 51 [preauth]
Connection closed by invalid user {user2} {IP} port 32868 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug1: do_cleanup
debug1: Killing privsep child 3088955Client debug log:
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug3: kex_input_ext_info: extension server-sig-algs
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug3: ssh_get_authentication_socket_path: path '/tmp/ssh-XXXXXX4m3oU7/agent.1655'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/{cliuser}/.ssh/id_ed25519 ED25519 SHA256:FpPo6lzge9YaFrrrO8txaYXceUVqqfRcUf6ddPIaGck agent
debug1: Will attempt key: /home/{cliuser}/.ssh/id_rsa
debug1: Will attempt key: /home/{cliuser}/.ssh/id_ecdsa
debug1: Will attempt key: /home/{cliuser}/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/{cliuser}/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/{cliuser}/.ssh/id_xmss
debug1: Will attempt key: /home/{cliuser}/.ssh/id_dsa
debug2: pubkey_prepare: done
debug1: Offering public key: /home/{cliuser}/.ssh/id_ed25519 ED25519 SHA256:FpPo6lzge9YaFrrrO8txaYXceUVqqfRcUf6ddPIaGck agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/{cliuser}/.ssh/id_rsa
debug3: no such identity: /home/{cliuser}/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/{cliuser}/.ssh/id_ecdsa
debug3: no such identity: /home/{cliuser}/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/{cliuser}/.ssh/id_ecdsa_sk
debug3: no such identity: /home/{cliuser}/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/{cliuser}/.ssh/id_ed25519_sk
debug3: no such identity: /home/{cliuser}/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/{cliuser}/.ssh/id_xmss
debug3: no such identity: /home/{cliuser}/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /home/{cliuser}/.ssh/id_dsa
debug3: no such identity: /home/{cliuser}/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
{user2}@{domain}: Permission denied (publickey).Related software's versions:
libssh 0.10.6-2
libssh2 1.11.0-1
openssh 9.7p1-2
pam 1.6.1-2
pambase 20230918-1
systemd 255.6-1
Last edited by kauron (2024-05-24 09:01:58)
Offline
Solved. I focused on the account expiration disabled error and tried to investigate further in that direction. It turns out that the password was not empty or expired (as I thought), but locked. I checked with:
# userdbctl user {user2}
...
Password OK: no (locked)Then, updated the password to a random string:
# passwd {user2}Finally, deleted the password and checked the user status again:
# passwd -d {user2}
# userdbctl user {user2}
...
Password OK: no (empty set)Offline