Impossible to log with ssh

What type of hardware are you using: Old laptop or computer
What YunoHost version are you running: 11.3.0
How are you able to access your server: SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: no

Describe your issue

Hello,
I would like to log with my “normal” user (i.e. not user “admin”) with SSH. My Yunohost was installed with a previous version (one with the “admin” user). I have already add my user (which is “joris”) to the admin group, but the SSH login doesn’t work. I’ve also regenerated the SSHD config file with yunohost tools regen-conf and there is no warning about SSH in my diagnose.

In the SSH log, i’ve found the error :

nov. 19 23:06:36 sshd[1873]: User joris from [...] not allowed because none of user's groups are listed in AllowGroups

the groups of user “joris” are :

joris@jirem:~ $ groups
joris cdrom floppy audio dip video plugdev netdev

I’ve also done a test by creating another user “joris_test” and adding it to the admin group. In this case, I can log to SSH and the groups are

joris_test@jirem:~$ groups
joris_test admins all_users miniflux.main mail.main xmpp.main nextcloud.main vpnclient.main nextcloud.api snappymail.main

I don’t know what’s wrong with the user “joris” groups and I don’t know how to fix that. Can someone help me?

Share relevant logs or error messages

nov. 19 23:06:36 sshd[1873]: User joris from […] not allowed because none of user’s groups are listed in AllowGroups

You can try

sudo yunohost user group add admins joris
sudo yunohost user info joris
sudo yunohost user group list

There it is

admin@jirem:~ $ sudo yunohost user group add admins joris
Warning: User joris is already in group admins
Info: Nothing to change for group 'admins'
mail-aliases: 
  - root
  - admin
  - admins
  - webmaster
  - postmaster
  - abuse
members: 
  - joris
  - joris_test
  - admin
permissions: 
admin@jirem:~ $ sudo yunohost user info joris
fullname: Joris [...]
loginShell: /bin/bash
mail: joris@[...]
mail-aliases: 
mail-forward: 
mailbox-quota: 
  limit: No quota
  use: 9.5M
username: joris
admin@jirem:~ $ sudo yunohost user group list
groups: 
  admins: 
    members: 
      - joris
      - joris_test
      - admin
  all_users: 
    members: 
      - joris_test
      - joris
      - marianne
  visitors: 
    members: 

That’s doen’t seems to have change anything.

There is still SSHD complaining

nov. 20 08:00:14 sshd[13384]: User joris from [...] not allowed because none of user\'s groups are listed in AllowGroups
nov. 20 08:00:17 sshd[13384]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[...]  user=joris
nov. 20 08:00:17 sshd[13384]: pam_ldap(sshd:auth): Authentication failure; user=joris

and the groups of the user did not change

joris@jirem:~ $ groups
joris cdrom floppy audio dip video plugdev netdev

what returns

yunohost tools regen-conf ssh -n -d

One thing’s for sure, though: the admin user is supposed to be deleted once you’ve confirmed that you’re able to log in with your other admins group member if you really want to keep the admin user for the long term,
(or it’s better to delete it and recreate it… ). But first make sure that a user can still connect via ssh and keep the terminal open.
I don’t understand! joris is in the admins group. And joris can’t find his group!

What I don’t understand is that logname= uid=0 euid=0 as if joris had root rights! Which is a security flaw.

do you have a /var/lib/initscripts/nologin file on your machine?

Nothing are returned:

admin@jirem:~ $ sudo yunohost tools regen-conf ssh -n -d
admin@jirem:~ $ 

Yes, that’s I’m trying to do.

I’m not sure this part of the log is really relevent:

joris@jirem:~ $ echo $UID $EUID
1000 1000

No I don’t have nologin, there is even no initscripts dir

root@jirem:~# cd /var/lib/initscripts/
-bash: cd: /var/lib/initscripts/: No such file or directory

Something is not correctely configured with my user joris but I don’t know what. For the record this user has been created before the yunohost upgrade with the admins group.

have you folder /home/joris/.ssh ?

No I don’t. In fact I was in the process to add a ssh key when I discovered that I’m unable to log on ssh with this account.

I may be wrong but, but I do not think the .ssh folder is mandatory. I should be able to log anyway.

I think the key of the issue is the groups of the user joris, maybe something related to the ldap configuration? Unfortunately I don’t have knowledge about ldap…

If I’m remembering well, I think I have created this account myself during debian installation, and then I’ve launched the yunohost installer.

did you change or reinstall your Yunohost instance?

No just following upgrades

1 Like

does yunohost tools regen-conf nsswitch --force solve the issue ?

No that doesn’t change anything.

But I have an idea/question.

As I said, the user has been created during the debian installation. So it’s a local user.

Consider my local user list

admin@jirem:~ $ cat /etc/passwd | grep joris
joris:x:1000:1000:joris,,,:/home/joris:/bin/bash

there is only my user joris and not my newly created user joris_test

If I query the LDAP with getent

admin@jirem:~ $ getent passwd | grep joris
joris:x:1000:1000:joris,,,:/home/joris:/bin/bash
joris:*:22872:22872:Joris [...]:/home/joris:/bin/bash
joris_test:*:42935:42935:Joris Test:/home/joris_test:/bin/bash

we can see that the login joris exist twice and the uid/gid are not the same.

It seems the first one take precedence:

admin@jirem:~ $ getent passwd joris
joris:x:1000:1000:joris,,,:/home/joris:/bin/bash

So I think there is a mismatch betwenn this local user with login joris and uid 1000 and the LDAP user joris and uid 22872

What do you think ?

So, I have found a solution.

I removed the local user with userdel joris. The LDAP user has not been touched by that.
See linux - How to convert local user to authenticate against LDAP directory? - Unix & Linux Stack Exchange

I run into some problem with the group 1007. Like in Premier utilisateur partiellement admins, ssh impossible

I also had to reboot.

Now I can log with my user, which is in admins group and I removed the admin user.

Thanks for the help!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.