Hey guys, I actually resolved this a while back
http://arstechnica.com/civis/viewtopic.php?f=16&t=1144818, but forgot to post my work here.
Here it is again, in case anyone can make use of it:
I was about to give up when I did a quick google and came across
http://www.semicomplete.com/articles/ssh-security/, mentioning "set to /bin/false (or some derivative) on said machines, so the only thing you'll see after you authenticate is the login banner and your connection will close". Hmm, that sounds familiar.
I was fiddling around with /etc/pam.d/system|login|sshd files when I noticed the following being logged in /var/log/auth.log:
Code:
May 18 03:24:47 zfs1ny1usa sshd[45624]: Accepted keyboard-interactive/pam for te
stuser from 10.10.10.100 port 60619 ssh2
May 18 03:30:03 zfs1ny1usa sshd[45634]: reverse mapping checking getaddrinfo for
x61.home.local [10.10.10.100] failed - POSSIBLE BREAK-IN ATTEMPT!
May 18 03:30:03 zfs1ny1usa sshd[45634]: User monkeytest not allowed because shell /
bin/false does not exist
May 18 03:30:03 zfs1ny1usa sshd[45634]: in openpam_load_module(): no /usr/local/
lib/pam_mkhomedir.so found
May 18 03:30:03 zfs1ny1usa sshd[45634]: fatal: PAM: initialisation failed
Let's check details for the AD user, monkeytest:
Code:
# getent passwd monkeytest
monkeytest:*:10002:10011:monkey test:/home/HOME/monkeytest:/bin/false
Let's change the shell to /bin/sh:
#chsh monkeytest
SSH in (using putty)... yay it works! Here's the auth.log contents now:
Code:
May 19 03:12:57 zfs1ny1usa sshd[48634]: pam_winbind(sshd): user 'monkeytest' granted access
May 19 03:12:57 zfs1ny1usa sshd[48632]: Accepted keyboard-interactive/pam for monkeytest from 10.10.10.100 port 52055 ssh2
No auth.log errors upon exit either. I used to have that problem before when I really screwed around with PAM service files.
But wait, I see this message upon logon:
Code:
Could not chdir to home directory /home/HOME/monkeytest: No such file or directory
Hmm, better check if the absolute path exists:
Code:
# ls -lG
zfs1ny1usa# ls -lG /home/
total 2
drwxr-xr-x 2 testuser testuser 512 May 18 03:24 testuser
Looks like we'll have to create it and set permissions:
Code:
zfs1ny1usa# mkdir /home/HOME
zfs1ny1usa# chmod o+w /home/HOME
zfs1ny1usa# ls -lG
total 4
drwxr-xrwx 2 root wheel 512 May 19 03:36 HOME
drwxr-xr-x 2 testuser testuser 512 May 18 03:24 testuser
And upon logging in again as 'monkeytest', no such warning, I see the directory, and am able to write to it!
Code:
zfs1ny1usa# ls -lG /home/HOME
total 2
drwxr-xr-x 2 monkeytest domain users 512 May 19 03:38 monkeytest
zfs1ny1usa# ls
.cshrc .login_conf .mailrc .rhosts myfirstfile
.login .mail_aliases .profile .shrc
Here are the contents of my /etc/pam.d/sshd:
Code:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_winbind.so
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
I'm quite new to *nix so figuring this stuff out, as simple as it seems, means a great deal to me. (I'm learning, woot!)
