Visit Our UNIX and Linux User Community


Can't Log into Solaris 10 u10 due to Pam and DH errors


 
Thread Tools Search this Thread
Operating Systems Solaris Can't Log into Solaris 10 u10 due to Pam and DH errors
# 1  
Old 06-28-2014
Can't Log into Solaris 10 u10 due to Pam and DH errors

Dears,,
i hope everything is going fine with you,,

Yesterday i was trying to log into My Solaris 10 u10 x86 Via SSH , But it showing me many error message and refusing to login even with with the root account and below you can find the error message:

Code:
[root@home:~] # ssh -v root@192.168.10.1
Sun_SSH_1.1.4, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to 192.168.10.1 [192.168.10.1] port 22.
debug1: Connection established.
debug1: identity file /export/home/root/.ssh/identity type -1
debug1: identity file /export/home/root/.ssh/id_rsa type -1
debug1: identity file /export/home/root/.ssh/id_dsa type -1
debug1: Logging to host: 192.168.10.1
debug1: Local user: root Remote user: root
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.5
debug1: match: Sun_SSH_1.1.5 pat Sun_SSH_1.1.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1.4
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
no common kex alg: client 'diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1', server 'gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g=='
debug1: Calling cleanup 0x807177a(0x0)

After google if found that i have to delete the /etc/ssh/ssh_host_*
So i logged into the system Via Fail safe > mounted the / to /a and deleted the ssh_hos_*

After reboot the machine i found there is another logs (also the diffie-hellman error still exist :

Code:
/usr/lib/security/pam_authtok_get.so.1 writable by group
/usr/lib/security/pam_dhkeys.so.1 writable by group

That's make me very confused, after more searching i found topic advising to check for the permission for the pam files, so loged into the system Via fail-safe and found out that all files taking full permission and i believe it's not good, below you can find the permission:

Code:
-rwxrwxrwx+

So i will be appreciated if you help me in this case is really it make me confused.

BR
Ahmed
# 2  
Old 06-29-2014
The package contents file shows the correct attributes
Code:
grep /usr/lib/security/
pam_authtok_get.so.1 /var/sadm/install/contents

Also compare the checksum
Code:
sum /usr/lib/security/
pam_authtok_get.so.1

And check the integrity of your core solaris
Code:
pkgchk SUNWcsu


Last edited by MadeInGermany; 06-29-2014 at 04:47 AM..
# 3  
Old 06-29-2014
Can you login as root (or any other account) if you don't use ssh? (or is the system configured not to allow that?)

Can you get to the console and do an ordinary root login from there?
# 4  
Old 06-29-2014
Hi MadeInGermany,,

Thanks for you reply and below you can find the output:

[IMG]Image[/IMG]
Thanks
Ahmed

---------- Post updated at 10:07 AM ---------- Previous update was at 10:04 AM ----------

Quote:
Originally Posted by hicksd8
Can you login as root (or any other account) if you don't use ssh? (or is the system configured not to allow that?)

Can you get to the console and do an ordinary root login from there?
Unfortunately i can't login with any user from ssh or console every time i try to login it show the DH error and the other also.

The only way to login is Via Fail safe.

Thanks you for your interest
Ahmed

Last edited by ieee99; 06-30-2014 at 10:43 AM..
# 5  
Old 06-29-2014
Hi Ahmed,

So you can't login as root even directly on the console (without SSH)!!!!

Have you, or someone else, edited /etc/passwd and/or /etc/shadow directly recently?

If so, display them to your screen and check very carefully the formatting.

For example, the root account information must be on the very first line. Just inserting a blank line at the beginning of /etc/passwd will screw up all logins.

Before we suggest anything else, do these files look alright?
All the fields in them correctly delimited, etc.

---------- Post updated at 06:04 PM ---------- Previous update was at 05:23 PM ----------

Please post the content of:

Code:
 
 /etc/pam.conf
  
 /etc/security/policy.conf

# 6  
Old 06-30-2014
The checksum of pam_authtok_get.so.1 is okay.
Reset all file permissions with

Code:
nawk '$NF=="SUNWcsl"' /var/sadm/install/contents | while read file ftype class perm owner group junk; do if [ "$ftype" != "s" ] && find "$file" -prune \! \( -user "$owner" -group "$group" -perm "$perm" \) | grep . >/dev/null; then echo chmod "$perm" "$file"; echo chown "$owner":"$group" "$file"; fi; done

To really execute, you can run the echoed commands in a shell. (Or pipe the whole loop to sh.)
# 7  
Old 06-30-2014
Case solved by pkgchk -R /a -fv

Thanks

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Solaris

How to recover x86 Solaris 10 u10 boot record/grub menu overwritten by Debian 9?

I installed x86 Solaris 10 update 10 after Windows XP, later I removed xp and installed Debian 9 stretch on the same partition but, Debian couldn't find any other os so it deleted Solaris 10 grub or did something like that I couldn't got. I thought I would be able to recover the lost record by... (0 Replies)
Discussion started by: vectrum
0 Replies

2. Ubuntu

What is solution for this error "tar: Exiting with failure status due to previous errors"?

Does anyone know what is solution for this error ?tar: Exiting with failure status due to previous errors from last 3 days I am trying to take backup of home/user directory getting again and again same error please anyone give me solution (8 Replies)
Discussion started by: Akshay Hegde
8 Replies

3. Solaris

Solaris U10 - Crash OS

Hello, I an triyng to write an emergency procedure, and I need your help, or point of view. I trying to find a way to get connected to an U10 Sun Solaris by the serial port to be able to get access to the system to debug systeme crash before restarting the server. The SUN U10 does not... (3 Replies)
Discussion started by: Aswex
3 Replies

4. SuSE

PAM password change failed, pam error 20

Hi, I use a software which can create account on many system or application. One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3. This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Discussion started by: scabarrus
3 Replies

5. Solaris

Solaris and PAM Password policy

Hello All, I have Sun DSEE7 (11g) on Solaris 10. I have run idsconfig and initialized ldap client with profile created using idsconfig. My ldap authentication works. Here is my pam.conf # Authentication management # # login service (explicit because of pam_dial_auth) # login ... (3 Replies)
Discussion started by: pandu345
3 Replies

6. Solaris

SSH and PAM authentication issues on Solaris 10

This is a zone running Solaris 10u8 on a 6320 blade. The global zone is also running 10u8. One my users is attempting to change his password and getting a following screen: $ ssh remotesys Password: Warning: Your password has expired, please change it now. New Password: Re-enter new... (1 Reply)
Discussion started by: bluescreen
1 Replies

7. Solaris

Solaris 8 PAM question

How do we know if PAM is turned on? I think that there is no process or anything that we can check for. Anyway to ensure that rather than doing a configuration and "physical" testing on a machine? (5 Replies)
Discussion started by: incredible
5 Replies

8. Solaris

PAM, Solaris, Openssh and Forcing a password change

Here's the issue. Currently when I run passwd -f "username" on any account, when I try to login with said account I don't get prompted to change my password I just keep getting prompted to input a password. (Of course this works just fine with telnet)Is there something i need to add to... (7 Replies)
Discussion started by: woodson2
7 Replies

9. Programming

Not able to compile Pro*c file due - give errors and points to /usr/include/.. file

I am trying to compile the pro*C file but gives errors. It says it encountered "std" while it was expecting ; , = ( $ $ORACLE_HOME/bin/proc tradewind/dataaccess/Blob.pcc Pro*C/C++: Release 10.2.0.3.0 - Production on Fri May 9 11:10:54 2008 Copyright (c) 1982, 2005, Oracle. All rights... (0 Replies)
Discussion started by: shafi2all
0 Replies

Featured Tech Videos