Unable to log in with one local account

English Install/Boot/Login
#1

Leap 42.2

I have a really odd issue. There is one user who can’t login. The account used to be able to log into the console and ssh but neither works now.

Logging into console: “Incorrect password, please try again”
I reset the password via the root account several times with no effect.

Logging in over SSH: "“Received disconnect from x.x.x.x port 22:2: Too many authentication failures”
I chased my tail on this one. I don’t think it’s a pki problem because it actually gets to the password prompt then fails after entering the password. (output is below)

Other users with the exact same permissions can console and SSH like usual.

I verified the account is not locked or disabled.

I reset the pam tally

I deleted the entire account and it’s home directory, and re-added it.

Any other suggestions?

Output from the failed SSH login attempt:

bobbyhood@XXX:~> ssh XXX@XXX -v
OpenSSH_7.2p2, OpenSSL 1.0.2j-fips  26 Sep 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 25: Applying options for *
debug1: Connecting to XXX [XXX.XXX.XXX.XXX] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to XXX:22 as 'XXX'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:XXX
debug1: Host 'XXX' is known and matches the ECDSA host key.
debug1: Found key in /home/bobbyhood/.ssh/known_hosts:24
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
                        ****USAGE WARNING****

This is a private computer system. This computer system, including all
related equipment, networks, and network devices (specifically including
Internet access) are provided only for authorized use. This computer system
may be monitored for all lawful purposes, including to ensure that its use
is authorized, for management of the system, to facilitate protection against
unauthorized access, and to verify security procedures, survivability, and
operational security. Monitoring includes active attacks by authorized entities
to test or verify the security of this system. During monitoring, information
may be examined, recorded, copied and used for authorized purposes. All
information, including personal information, placed or sent over this system
may be monitored.

Use of this computer system, authorized or unauthorized, constitutes consent
to monitoring of this system. Unauthorized use may subject you to criminal
prosecution. Evidence of unauthorized use collected during monitoring may be
used for administrative, criminal, or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/bobbyhood/.ssh/id_rsa
debug1: Trying private key: /home/bobbyhood/.ssh/id_dsa
debug1: Trying private key: /home/bobbyhood/.ssh/id_ecdsa
debug1: Trying private key: /home/bobbyhood/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:  
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
Received disconnect from XXX.XXX.XXX.XXX port 22:2: Too many authentication failures
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to XXX ([XXX.XXX.XXX.XXX]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: channel 0: free: client-session, nchannels 1
Connection to XXX closed by remote host.
Connection to XXX closed.
Transferred: sent 1932, received 2824 bytes, in 0.0 seconds
Bytes per second: sent 5635184.5, received 8236936.4
debug1: Exit status -1
bobbyhood@XXX:~>

Output from another account’s successful login attempt:

bobbyhood@XXX:/> ssh XXX@XXX -v
OpenSSH_7.2p2, OpenSSL 1.0.2j-fips  26 Sep 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 25: Applying options for *
debug1: Connecting to XXX [XXX.XXX.XXX.XXX] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bobbyhood/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to XXX:22 as 'XXX'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:nKdZX8975JkliEtbbrGfZi+AZLXJnoYjQ1uGNe4MEmo
debug1: Host 'XXX' is known and matches the ECDSA host key.
debug1: Found key in /home/bobbyhood/.ssh/known_hosts:24
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
                        ****USAGE WARNING****

This is a private computer system. This computer system, including all
related equipment, networks, and network devices (specifically including
Internet access) are provided only for authorized use. This computer system
may be monitored for all lawful purposes, including to ensure that its use
is authorized, for management of the system, to facilitate protection against
unauthorized access, and to verify security procedures, survivability, and
operational security. Monitoring includes active attacks by authorized entities
to test or verify the security of this system. During monitoring, information
may be examined, recorded, copied and used for authorized purposes. All
information, including personal information, placed or sent over this system
may be monitored.

Use of this computer system, authorized or unauthorized, constitutes consent
to monitoring of this system. Unauthorized use may subject you to criminal
prosecution. Evidence of unauthorized use collected during monitoring may be
used for administrative, criminal, or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/bobbyhood/.ssh/id_rsa
debug1: Trying private key: /home/bobbyhood/.ssh/id_dsa
debug1: Trying private key: /home/bobbyhood/.ssh/id_ecdsa
debug1: Trying private key: /home/bobbyhood/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:  
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to XXX ([XXX.XXX.XXX.XXX]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
Last login: Tue Apr  3 15:11:41 2018 from 192.168.240.200
Have a lot of fun...
XXX@XXX:~>
#2

Try deleting the keys for that user, then recreate them. Can’t think of any other solution.

Another thing: you’re running 42.2 which is out of maintenance and support. Consider upgrading to 42.3, this apart from your current issues

#3

Upgrading is on the to-do list.

I just discovered the same thing happens to all new users I create.

#4

As you say that that user can not log in from the local console, we can rule out any connection with SSH IMHO (SSH only shows what you already knew, the user can not log in because the password does not seem to be alright).

You say it happens with all new created users. The obvious question is then: how do you create them?

Also showing the entry in /etc/passwd of such a user may show something.

#5

Using yast to create them and add to sudo. This is the passwd entry of the user that could log in but can’t now (of course I have deleted and re-added it):

webadmin:x:1001:100:Web Admin:/home/webadmin:/bin/bash

Here’s a new test user with the same issue:

testuser:x:1002:100:testuser:/home/testuser:/bin/bash

Edit: Using the Yast gui while logged in to console as root

#6

;

First thoughts
Are the numerical UserID out of range for a login account? Do new users have a default shell specified?

#7

A default shell (/bin/bash) is specified and it’s using the UID range starting at 1000.

#8

as you show in the /etc/passwd entries. I do not see any peculiarities there. But we have to try everything for this strange problem I am afraid.

BTW, what do you mean by “add to sudo”?

Another thought. can you post

ls -ld /etc/shadow

to see if the ownership permissions are correct? (But I doubt this is it, because some users seem to be OK).

#9

I mean I make the user a sudoer through Yast as well, but that doesn’t seem to matter anyway.

-rw-r----- 1 root shadow 1123 Apr  4 14:02 /etc/shadow
#10

As root, try the commands:


getent passwd user
getent shadow user

where you replace “user” by the appropriate value. The first of those two commands doesn’t actually need root.

Assuming one of these fails, it will tell you which database is messed up. Sometimes what might look like a trivial error, such as a missing “:” or an extra “:” can cause problems.

#11

Don’t understand that, but indeed most probably has nothing to do with your problem. so I won’t go off-topic.

Looks fine.

Go for some sleep now. Sometimes during the night solutions drift to the surface of the mind ;).
In the mean time, ohers may have better suggestions then I have.

Did you try a very simple password (like aaa, just for the test).
Are the encrypted passwords of the new users in /etc/shadow. They should all be of the same length (that is what I thought, but I see now that root has a much longer one).

#12 
webadmin:x:1001:100:Web Admin:/home/webadmin:/bin/bash

webadmin:$6$xNmVsQoH6Z4X$8rQ355434DxBNmcasWvjPRijHM/taWERft.1w.V.FVN4xMgnTgiQ9mx4j1ZYNmDq96CI1Dk3fnUMYbP6by6UQ0:17624:0:99999:7:::

@hcvv: I did try a simple password just to test

Edit: I didn’t know if you wanted to see those, but obviously there were no errors with those commands

#13

No, I didn’t need to see them. They look okay anyway.