This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Authentication Failed for PAM Agent using SSH for Active Directory Users

Article Number

000068148

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
O/S Version: RHEL

Issue

When a user authenticates using PAM with the RSA Token or a Fixed Passcode, the authentication attempt fails.

Cause

The Root Cause of the issue is in the connection between the LDAP and the Linux machines when checking the sssd configuration using the realm list found that the Users login format is %U@mydomain.local 
  
 realm list
example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@example.com
  login-policy: allow-realm-logins

From  /var/log/secure logs, user will be seen as an invalid user as shown for rsatest user
  
Mar 28 01:16:25 pam sshd[6769]: Invalid user rsatest from ::1 port 52404
Mar 28 01:16:25 pam sshd[6769]: Postponed keyboard-interactive for invalid user rsatest from ::1 port 52404 ssh2 [preauth]
Mar 28 01:16:28 pam sshd[6772]: pam_unix(sshd:auth): check pass; user unknown
Mar 28 01:16:28 pam sshd[6772]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1
Mar 28 01:16:28 pam sshd[6769]: Postponed keyboard-interactive/pam for invalid user rsatest from ::1 port 52404 ssh2 [preauth]
Mar 28 01:16:52 pam sshd[6769]: error: PAM: Authentication failure for illegal user rsatest from ::1
Mar 28 01:16:52 pam sshd[6769]: Failed keyboard-interactive/pam for invalid user rsatest from ::1 port 52404 ssh2
Mar 28 01:16:52 pam sshd[6769]: Postponed keyboard-interactive for invalid user rsatest from ::1 port 52404 ssh2 [preauth]

 

Resolution

When checking the sssd configuration with the realm list found that:
the login-formats was  %U@mydomain.local.  modified it to %U, the authentication became successful.
  • cd /etc/sssd
  • vim sssd.conf
  • Change the login format: use_fully_qualified_names = True to False.
  • Restart sssd services > systemctl restart sssd.service
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2023-04-05 09:18 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.