SSH key authentication login issue with PAM

Question

After setting up key authentication for SSH i'm having the following error :

ssh remoteHost System is going down. Connection to remoteHostAddress closed by remote host. Connection to remoteHostAddress closed. 

The ssh -vvv result:

ssh -vvv prod08 OpenSSH_7.2p2, LibreSSL 2.4.1 debug1: Reading configuration data /Users/adriendauchez/.ssh/config debug1: /Users/adriendauchez/.ssh/config line 1: Applying options for prod08 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 20: Applying options for * debug2: resolving "prod08.finansemble.fr" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to prod08.finansemble.fr [92.243.15.18] port 22. debug1: Connection established. debug1: identity file /Users/adriendauchez/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /Users/adriendauchez/.ssh/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to prod08.finansemble.fr:22 as 'finman' debug3: hostkeys_foreach: reading file "/Users/adriendauchez/.ssh/known_hosts" debug3: record_hostkey: found key type RSA in file /Users/adriendauchez/.ssh/known_hosts:12 debug3: load_hostkeys: loaded 1 keys from prod08.finansemble.fr debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: [email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,[email protected],zlib debug2: compression stoc: none,[email protected],zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: compression ctos: none,[email protected] debug2: compression stoc: none,[email protected] debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: [email protected] debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ssh-rsa SHA256:kaUPG6K75V3HEen+o60LKipDVhVJatP/a1WAcoQK5Lc debug3: hostkeys_foreach: reading file "/Users/adriendauchez/.ssh/known_hosts" debug3: record_hostkey: found key type RSA in file /Users/adriendauchez/.ssh/known_hosts:12 debug3: load_hostkeys: loaded 1 keys from prod08.finansemble.fr debug3: hostkeys_foreach: reading file "/Users/adriendauchez/.ssh/known_hosts" debug3: record_hostkey: found key type RSA in file /Users/adriendauchez/.ssh/known_hosts:13 debug3: load_hostkeys: loaded 1 keys from 92.243.15.18 debug1: Host 'prod08.finansemble.fr' is known and matches the RSA host key. debug1: Found key in /Users/adriendauchez/.ssh/known_hosts:12 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS received debug2: key: /Users/adriendauchez/.ssh/id_rsa (0x7f8370700350), explicit, agent debug3: send packet: type 5 debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/adriendauchez/.ssh/id_rsa debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp SHA256:ok0cG8G7pYSJlGM9L6pMsAJk6vmdLKYhX/pwkNps7zU debug3: sign_and_send_pubkey: RSA SHA256:ok0cG8G7pYSJlGM9L6pMsAJk6vmdLKYhX/pwkNps7zU debug3: send packet: type 50 debug3: receive packet: type 53 debug3: input_userauth_banner System is going down. debug1: Authentication succeeded (publickey). Authenticated to prod08.finansemble.fr ([92.243.15.18]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug3: send packet: type 90 debug1: Requesting [email protected] debug3: send packet: type 80 debug1: Entering interactive session. debug1: pledge: network debug3: send packet: type 1 debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t3 r-1 i0/0 o0/0 fd 6/7 cc -1) Connection to prod08.finansemble.fr closed by remote host. Connection to prod08.finansemble.fr closed. Transferred: sent 2580, received 2704 bytes, in 0.0 seconds Bytes per second: sent 10113368.5, received 10599437.4 debug1: Exit status -1 

The var log secure error is :

 fatal: Access denied for user finman by PAM account configuration [preauth] 

So i tried different workarounds to connect and setting UsePAM to no allowed me to be able to connect via ssh to the server.

pam.d/sshd :

#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare 

After searching and trying differents solutions i haven't found a way to keep PAM enabled and connect to the server.

More info: connecting from a mac to a remote CentOS 7

The question is, does anyone know why PAM would block the ssh connection via pubkey ?

Thank you

Answer 1

Your logs indicate that you authenticated just fine, but that you received the message System is going down and were disconnected.

Look for a file /etc/nologin and remove it.

This file is created when the system is shutting down or restarting, and its presence indicates that users should not be allowed to log in, because the system is going down.

This file should be removed upon restart, but if that didn't happen, then the system could be up and running normally but still not allow anyone to log in.