Ssh trouble with shadow information


Operating System: openSUSE MicroOS 20230626
KDE Plasma Version: 5.27.6
KDE Frameworks Version: 5.107.0
Qt Version: 5.15.10
Kernel Version: 6.3.9-1-default (64-bit)
Graphics Platform: X11
Processors: 8 × Intel® Core™ i7-6700K CPU @ 4.00GHz
Memory: 31.0 GiB of RAM
Graphics Processor: Mesa Intel® HD Graphics 530

sshd reports trouble with shadow information:

linux:~ # systemctl status sshd
● sshd.service - OpenSSH Daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
     Active: active (running) since Wed 2023-06-28 04:22:25 UTC; 7min ago
    Process: 933 ExecStartPre=/usr/sbin/sshd-gen-keys-start (code=exited, status=0/SUCCESS)
    Process: 939 ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS (code=exited, status=0/SUCCESS)
   Main PID: 943 (sshd)
      Tasks: 1
        CPU: 116ms
     CGroup: /system.slice/sshd.service
             └─943 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Jun 28 04:22:25 localhost sshd-gen-keys-start[933]: Checking for missing server keys in /etc/ssh
Jun 28 04:22:25 localhost sshd[943]: Server listening on port 22.
Jun 28 04:22:25 localhost sshd[943]: Server listening on :: port 22.
Jun 28 04:22:25 localhost systemd[1]: Started OpenSSH Daemon.
Jun 28 04:23:09 sshd[1851]: error: Could not get shadow information for karl
Jun 28 04:23:09 sshd[1851]: Failed password for karl from 2001:a62:1972:6f01:aa03:aa6d:58f:69c5 port 47564 ssh2
Jun 28 04:23:15 sshd[1851]: Connection closed by authenticating user karl 2001:a62:1972:6f01:aa03:aa6d:58f:69c5 port 47564 [preauth]
Jun 28 04:24:49 sshd[1871]: error: Could not get shadow information for root
Jun 28 04:24:50 sshd[1871]: Failed password for root from 2001:a62:1972:6f01:aa03:aa6d:58f:69c5 port 35148 ssh2
Jun 28 04:26:45 sshd[1871]: fatal: Timeout before authentication for 2001:a62:1972:6f01:aa03:aa6d:58f:69c5 port 35148
linux:~ # 

Any idea?

Seems that UsePAM in sshd_config is disabled…

@hui Hmm, not here…

  1. Self install image with combustion:
grep UsePAM /usr/etc/ssh/sshd_config
UsePAM yes
  1. MicroOS Aeon
grep UsePAM /usr/etc/ssh/sshd_config
UsePAM yes

Malcom do you have the same errors as Karl?

@hui nope, I use a publickey though and a /etc/ssh/sshd_config.d/host.conf file for login…

So, your setting regarding usePAM is from a properly maintained host.
As the use of “use PAM no” can lead to error messages which Karl sees, he should check if he has a proper maintenance and settings strategy for his infamous hosts :wink:

@hui yes, never touched the configs… bert & kermit are self installs with combustion , fozzie-bear and ernie are iso image installs of Aeon, all bare-metal, not vm’s… Now, these are not new installs…

Sorry i spilled my coffee :rofl:


microos:~ # grep UsePAM /usr/etc/ssh/sshd_config
UsePAM yes
microos:~ # 

The above suggests UsePAM is enabled. microos is a pristine install on June 28. Made a single change and renamed the host from linux to microos:

microos:~ # hostnamectl
 Static hostname: microos
       Icon name: computer-desktop
         Chassis: desktop 🖥
      Machine ID: 0b347ab2a2e5422ca2039e31895e4807
         Boot ID: ddce663542054f508b718456dcfe2105
Operating System: openSUSE MicroOS                
     CPE OS Name: cpe:/o:opensuse:microos:20230627
          Kernel: Linux 6.3.9-1-default
    Architecture: x86-64
 Hardware Vendor: ASRock
  Hardware Model: Z170 Pro4S
Firmware Version: P7.50
   Firmware Date: Tue 2018-01-23
microos:~ # 

After installing I rsynced from host erlangen:

erlangen:~ # cat /etc/ssh/sshd_config
PermitRootLogin yes
PasswordAuthentication yes
X11Forwarding yes
erlangen:~ # 

Upon restarting sshd on microos I got the errors shown in post #1. After appending the line UsePAM yes to /etc/ssh/sshd_config and restarting sshd trouble was gone.

Default configuration of ssh worked properly since a decade on infamous host erlangen and its numerous siblings. It’s broken on microos. Tinkering required!

Still beta stuff

Good. So the problem is solved for you, is not it?

It does not explain why sshd fails to access /etc/shadow.

For the sake of archives - MicroOS defaults to SELinux in targeted enforcing mode. When UsePAM is enabled, pam_unix module calls unix_chkpwd binary which is allowed to read /etc/shadow. Without PAM, sshd tries to read this file directly which is prohibited by SELinux for its (sshd systemd service process) context.

If you start sshd within your root login session which has unconfined SELinux context, authentication succeeds.

Of course. If you do not understand it, it must be someone else fault, what else can it be.

Chill down!