Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.
Problem description
When you use SSH to connect to an ECS instance of the Linux, you cannot log on to the ECS instance even if you enter the correct password. When the problem occurs, an error may occur when you use the management terminal or SSH to log on to the client. Errors similar to the following are also found in the secure log.
sshd[1199]: pam_listfile(sshd:auth): Refused user root for service sshd
sshd[1199]: Failed password for root from 192.X.X.1 port 22 ssh2
sshd[1204]: Connection closed by 192.X.X.2
Cause
PAM module (pam_listfile.so) related access control policies cause user login to fail.
Solution
Alibaba Cloud reminds you that:
Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.
PAM module can be used for Linux access control. To resolve this issue, please check the configuration as follows. The Linux configurations and descriptions in this article have been tested in CentOS 6.5 64-bit operating systems. The configurations of other operating systems may be different. For more information, see the official documentation of the operating system.
Log on to the instance and call cat or other commands to view the PAM configuration file. The following table describes the configuration files.
File
Features
/etc/pam.d/login
Configuration file corresponding to the console (management Terminal)
/etc/pam.d/sshd
Corresponding configuration file for SSH logon
/etc/pam.d/system-auth
System global configuration file
Verify that the following configurations exist.
auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
These policies can improve server security. We recommend that you back up your files before making any modifications. The relevant policy parameters are described as follows.
item: The object type for access control. Valid values: tty, user, rhost, ruser, group, and shell.
sense: find the control method for matching items in the configuration file. Valid values: allow and deny. allow indicates a whitelist, and deny indicates a blacklist.
file: specifies the full path of the configuration file.
onerr: defines the default return value returned when an error occurs. For example, the configuration file cannot be opened.
Use an editor such as vi to delete the policy configuration, and you can also comment on the policy configuration, as shown below, add #.
#auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
Then log on to the server again and confirm that there is no exception.
References
PAM(Pluggable Authentication Modules) is an Authentication mechanism proposed by Sun. It separates the service provided by the system from the authentication method of the service by providing some dynamic link libraries and a set of unified APIs. Therefore, the system administrator can flexibly configure different authentication methods for different services according to the requirements, without changing the service program, and it is also convenient to add new authentication methods to the system.
Each application with PAM module enabled has a configuration file with the same name in the
/etc/pam.d
directory. For example, the configuration file of the login command is/etc/pam.d/login
. You can configure a specific policy in the corresponding configuration file.For more information about pam_listfile, visit the following link, see linux-pam.org official documentation. pam_listfile
If the problem persists, seeguidelines for troubleshooting failure to remotely log on to a Linux instance through SSH for further troubleshooting and analysis.
Application scope
ECS