AnsweredAssumed Answered

Configuring sshd for authentication on RHEL6, seeing access denied and no supported auth methods

Question asked by Alok Sharma on Jan 24, 2019

I'm trying to configure sshd for rsa authentication on RHES 6. su authentication with rsa tokens works fine. I have modified sshd_config, as well as /etc/pam.d/sshd - but I get errors of access denied or no supported authentication methods when I ssh to this

 

$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

 

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

 

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

 

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

 

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

 

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

 

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

 

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

 

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

 

# Authentication:

 

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

 

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys
#AuthorizedKeysCommand none

 

 For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

 

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

 

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes

 

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

 

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

 

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

 

 

 

 

 

 

 

[root@am8-linux1 pam.d]# more /etc/pam.d/sshd
#%PAM-1.0
auth    required        pam_stack.so service=system-auth
auth    required        pam_securid.so
auth    required        pam_nologin.so
#auth      required     pam_sepermit.so
#auth       include      password-auth
#account    required     pam_nologin.so
#account    include      password-auth
account required        pam_stack.so service=system-auth
password        required        pam_stack.so service=system-auth
#password   include      password-auth
# pam_selinux.so close should be the first session rule
#session    required     pam_selinux.so close
session required        pam_stack.so service=system-auth
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
#session    required     pam_selinux.so open env_params
#session    optional     pam_keyinit.so force revoke
#session    include      password-auth

Outcomes