Sorry for the delay on this.
###
#
# PAM Configuration File
#
#########################################################################
# change log:
# 01/19/12 michael - add in stanzas to make this a proper subset of all needed
# ??/??/11 cwa - added IBM Systems Director lwilogin
#########################################################################
#
# This file controls the PAM stacks for PAM enabled services.
# The format of each entry is as follows:
#
# <service_name> <module_type> <control_flag> <module_path> [module_options]
#
# Where:
# <service_name> is:
# The name of the PAM enabled service.
#
# <module_type> is one of:
# auth, account, password, session
#
# <control_flag> is one of:
# required, requisite, sufficient, optional
#
# <module_path> is:
# The path to the module. If the field does not begin with '/'
# then /usr/lib/security is prefixed for 32-bit services,
# /usr/lib/security/64/ is prefixed for 64-bit services.
# If the module path is specified as full path,then it
# directly uses for 32-bit services, for 64-bit services
# module path derived as <module_path>/64/<module_name>.
#
# [module_options] is:
# An optional field. Consult the specified modules documentation
# for valid options.
#
# The service name OTHER controls the behavior of services that are PAM
# enabled but do not have an explicit entry in this file.
#
#
# Authentication
#
ftp auth requisite /usr/lib/security/pam_permission
ftp auth required /usr/lib/security/pam_aix
imap auth required /usr/lib/security/pam_aix
login auth requisite /usr/lib/security/pam_permission
login auth required /usr/lib/security/pam_aix
rexec auth required /usr/lib/security/pam_aix
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth
rlogin auth requisite /usr/lib/security/pam_permission
rlogin auth required /usr/lib/security/pam_aix
rsh auth required /usr/lib/security/pam_rhosts_auth
sshd auth requisite /usr/lib/security/pam_permission
sshd auth required /usr/lib/security/pam_aix
snapp auth required /usr/lib/security/pam_aix
su auth sufficient /usr/lib/security/pam_allowroot
su auth required /usr/lib/security/pam_aix
telnet auth requisite /usr/lib/security/pam_permission
telnet auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_prohibit
#
# Account Management
#
ftp account required /usr/lib/security/pam_aix
login account required /usr/lib/security/pam_aix
rexec account required /usr/lib/security/pam_aix
rlogin account required /usr/lib/security/pam_aix
rsh account required /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
su account sufficient /usr/lib/security/pam_allowroot
su account required /usr/lib/security/pam_aix
telnet account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_prohibit
#
# Password Management
#
login password required /usr/lib/security/pam_aix
passwd password required /usr/lib/security/pam_aix
rlogin password required /usr/lib/security/pam_aix
su password required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
telnet password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_prohibit
#
# Session Management
#
ftp session required /usr/lib/security/pam_aix
imap session required /usr/lib/security/pam_aix
login session required /usr/lib/security/pam_aix
rexec session required /usr/lib/security/pam_aix
rlogin session required /usr/lib/security/pam_aix
rsh session required /usr/lib/security/pam_aix
snapp session required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
su session required /usr/lib/security/pam_aix
telnet session required /usr/lib/security/pam_aix
# auto-make home directory
login session optional /usr/lib/security/pam_mkuserhome
rlogin session optional /usr/lib/security/pam_mkuserhome
telnet session optional /usr/lib/security/pam_mkuserhome
OTHER session required /usr/lib/security/pam_prohibit
#
#Entries for authexec
#
authexec auth required pam_aix
authexec account required pam_aix
authexec password required pam_aix
#
#
#
# websm
#
websm_rlogin auth sufficient /usr/lib/security/pam_rhosts_auth
websm_rlogin auth required /usr/lib/security/pam_aix use_new_state
websm_su auth sufficient /usr/lib/security/pam_aix
websm_su auth required /usr/lib/security/pam_aix
websm_rlogin account required /usr/lib/security/pam_aix mode=S_RLOGIN
websm_su account sufficient /usr/lib/security/pam_aix mode=S_SU
websm_su account required /usr/lib/security/pam_aix mode=S_SU
websm_rlogin password required /usr/lib/security/pam_aix use_new_state try_first_pass
websm_su password required /usr/lib/security/pam_aix try_first_pass
websm_rlogin session required /usr/lib/security/pam_aix
websm_su session required /usr/lib/security/pam_aix
#
#Entries for Systems Director
#
lwilogin auth required pam_aix
lwilogin account required pam_aix
lwilogin password required pam_aix
lwilogin session required pam_aix
#
# BuildForge agent
#
bfagent auth requisite /usr/lib/security/pam_permission
bfagent auth required pam_aix
bfagent account required pam_aix
wbem auth required /usr/lib/security/pam_aix
wbem account required /usr/lib/security/pam_aix
wbem password required /usr/lib/security/pam_aix
wbem session required /usr/lib/security/pam_aix
# Needed for new sudo (added 01/28/2022 JK)
#
sudo auth required /usr/lib/security/pam_aix
sudo account required /usr/lib/security/pam_aix
sudo password required /usr/lib/security/pam_aix
sudo session required /usr/lib/security/pam_aix
###
------------------------------
Joshua Krause
------------------------------
Original Message:
Sent: Fri September 22, 2023 11:21 AM
From: Stephen Ulmer
Subject: Local and LDAP users failing: password authentication failed
This is likely the PAM configuration, though there is a remote chance that sshd isn't handing PAM the correct information...
Can you send us the PAM config?
--
Stephen L. Ulmer
Enterprise Architect
Mainline Information Systems
Original Message:
Sent: 9/22/2023 10:38:00 AM
From: Joshua Krause
Subject: Local and LDAP users failing: password authentication failed
I have an AIX 7.2 server that we use as a gold image server. I was going through some CIS Benchmark settings dealing with the "Default" values and ended up losing access. Luckily I have a user with an SSH key on the box so I was able to get back in. I am having an issue trying to see what is causing my issue and was leaning towards the community for assistance.
/etc/security/login.cfg
default:
sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 10
herald = "\r\n NOTICE:\r\n\r\n Access to this computer system/network and the information on it is the\r\n property of The Huntington and is intended only for employees and other\r\n users properly authorized by The Huntington. It is to be accessed only\r\n for proper business purposes in accordance with Huntington Policies,\r\n Standards and Guidelines. Unauthorized access or improper use of this\r\n system/network and the information on it will be cause for disciplinary\r\n action, up to and including termination and may be a criminal offense\r\n resulting in criminal prosecution and/or civil liability.\r\n\r\nlogin: "
*/dev/console:
* synonym = /dev/tty0
usw:
auth_type = PAM_AUTH
logintimeout = 30
maxlogins = 32767
mkhomeatlogin = true
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd,/usr/bin/bash,/bin/hnbdefaultshell,/usr/bin/hnbdefaultshell,/uv/bin/uv
pwd_algorithm = ssha256
unix_passwd_compat = true
logindelay = 10
Not sure what other data I need to provide. Here is output in the logging with an attempt from ldap and/or local user:
LOCAL USER
(utaecegdi7200.hban.us:/)# cat /var/adm/syslog | grep ecetestuser
Sep 22 10:30:09 utaecegdi7200 auth|security:debug sshd[12452152]: debug1: userauth-request for user ecetestuser service ssh-connection method none [preauth]
Sep 22 10:30:09 utaecegdi7200 auth|security:debug sshd[12452152]: debug1: PAM: initializing for "ecetestuser"
Sep 22 10:30:09 utaecegdi7200 auth|security:debug sshd[12452152]: debug1: userauth-request for user ecetestuser service ssh-connection method keyboard-interactive [preauth]
Sep 22 10:30:09 utaecegdi7200 auth|security:debug sshd[12452152]: debug1: auth2_challenge: user=ecetestuser devs= [preauth]
Sep 22 10:30:09 utaecegdi7200 auth|security:err|error sshd[12452152]: error: PAM: Authentication failed for ecetestuser from 10.176.12.209
Sep 22 10:30:09 utaecegdi7200 auth|security:err|error sshd[12452152]: error: PAM: Authentication failed for ecetestuser from 10.176.12.209
Sep 22 10:30:09 utaecegdi7200 auth|security:info sshd[12452152]: Failed keyboard-interactive/pam for ecetestuser from 10.176.12.209 port 33027 ssh2
Sep 22 10:30:19 utaecegdi7200 auth|security:info syslog: ssh: failed login attempt for ecetestuser from 10.176.12.209
Sep 22 10:30:19 utaecegdi7200 auth|security:debug sshd[12452152]: debug1: audit event euid 0 user ecetestuser event 5 (SSH_failkbdint)
Sep 22 10:30:19 utaecegdi7200 auth|security:debug sshd[12452152]: debug1: userauth-request for user ecetestuser service ssh-connection method password [preauth]
Sep 22 10:30:19 utaecegdi7200 auth|security:debug sshd[12452152]: debug1: PAM: password authentication failed for ecetestuser: Authentication failed
Sep 22 10:30:19 utaecegdi7200 auth|security:info sshd[12452152]: Failed password for ecetestuser from 10.176.12.209 port 33027 ssh2
Sep 22 10:30:39 utaecegdi7200 auth|security:info syslog: ssh: failed login attempt for ecetestuser from 10.176.12.209
Sep 22 10:30:39 utaecegdi7200 auth|security:debug sshd[12452152]: debug1: audit event euid 0 user ecetestuser event 4 (SSH_failpasswd)
Sep 22 10:30:39 utaecegdi7200 auth|security:info sshd[12452152]: Connection closed by authenticating user ecetestuser 10.176.12.209 port 33027 [preauth]
Sep 22 10:30:39 utaecegdi7200 auth|security:debug sshd[12452152]: debug1: audit event euid 0 user ecetestuser event 12 (SSH_connabndn)
LDAP USER
Sep 22 10:22:46 utaecegdi7200 auth|security:debug sshd[12583390]: debug1: audit event euid 0 user eceunix04uttap event 0 (SSH_exceedmtrix)
Sep 22 10:22:46 utaecegdi7200 auth|security:debug sshd[12583390]: debug1: audit event euid 0 user eceunix04uttap event 12 (SSH_connabndn)
Sep 22 10:24:24 utaecegdi7200 auth|security:debug sshd[13697306]: debug1: userauth-request for user eceunix04uttap service ssh-connection method none [preauth]
Sep 22 10:24:24 utaecegdi7200 auth|security:debug sshd[13697306]: debug1: PAM: initializing for "eceunix04uttap"
Sep 22 10:24:24 utaecegdi7200 auth|security:debug sshd[13697306]: debug1: userauth-request for user eceunix04uttap service ssh-connection method keyboard-interactive [preauth]
Sep 22 10:24:24 utaecegdi7200 auth|security:debug sshd[13697306]: debug1: auth2_challenge: user=eceunix04uttap devs= [preauth]
Sep 22 10:24:24 utaecegdi7200 auth|security:err|error sshd[13697306]: error: PAM: Authentication failed for eceunix04uttap from 10.176.12.209
Sep 22 10:24:24 utaecegdi7200 auth|security:err|error sshd[13697306]: error: PAM: Authentication failed for eceunix04uttap from 10.176.12.209
Sep 22 10:24:24 utaecegdi7200 auth|security:info sshd[13697306]: Failed keyboard-interactive/pam for eceunix04uttap from 10.176.12.209 port 33005 ssh2
Sep 22 10:24:24 utaecegdi7200 auth|security:info syslog: ssh: failed login attempt for eceunix04uttap from 10.176.12.209
Sep 22 10:24:24 utaecegdi7200 auth|security:debug sshd[13697306]: debug1: audit event euid 0 user eceunix04uttap event 5 (SSH_failkbdint)
Sep 22 10:24:25 utaecegdi7200 auth|security:debug sshd[13697306]: debug1: userauth-request for user eceunix04uttap service ssh-connection method password [preauth]
Sep 22 10:24:25 utaecegdi7200 auth|security:debug sshd[13697306]: debug1: PAM: password authentication failed for eceunix04uttap: Authentication failed
Sep 22 10:24:25 utaecegdi7200 auth|security:info sshd[13697306]: Failed password for eceunix04uttap from 10.176.12.209 port 33005 ssh2
Sep 22 10:24:25 utaecegdi7200 auth|security:info syslog: ssh: failed login attempt for eceunix04uttap from 10.176.12.209
Sep 22 10:24:25 utaecegdi7200 auth|security:debug sshd[13697306]: debug1: audit event euid 0 user eceunix04uttap event 4 (SSH_failpasswd)
Sep 22 10:24:26 utaecegdi7200 auth|security:info sshd[13697306]: Connection closed by authenticating user eceunix04uttap 10.176.12.209 port 33005 [preauth]
Sep 22 10:24:26 utaecegdi7200 auth|security:debug sshd[13697306]: debug1: audit event euid 0 user eceunix04uttap event 12 (SSH_connabndn)
------------------------------
Joshua Krause
------------------------------