Unable to login via SSH as non-root

UCS - Univention Corporate Server
, ,
#1

On my UCS installation running 4.4-3 errata413, I am unable to login to the server as a ‘normal’ user via SSH:

$ ssh igadget@10.0.0.1
Password: 
Connection closed by 10.0.0.1 port 22

Logging in via SSH as root works fine.
Normal users can login fine on the UCS web interface and linked apps (i.e. Nextcloud). It’s just SSH that doesn’t work.
When looking at /var/log/auth.log, I see this:

Dec 27 18:17:42 ucs1 sshd[20039]: pam_access(sshd:account): access denied for user `igadget' from `10.0.0.2'
Dec 27 18:17:42 ucs1 sshd[20037]: error: PAM: User account has expired for igadget from 10.0.0.2
Dec 27 18:17:42 ucs1 sshd[20037]: fatal: monitor_read: unpermitted request 104

I checked the UCR and “sshd/passwordauthentication” is set to “yes”.
Restarted SSH service, no effect.
Rebooted the server, no effect.

What am I doing wrong here?

#2

Per default the login on DCs is restricted to root and members of some admin groups. You can adjust it via ucr.

To allow the group “mygroup”:

ucr set auth/sshd/group/mygroup=yes

To allow the user “myuser”:

ucr set auth/sshd/user/myuser=yes
4 Likes
#3

That did the trick. Thank you so much SirTux! :slight_smile:

#4

Thanks <3 Save my day.

#5

Great, helped me too :slight_smile:

#6

Apologies for the necro posting, but why would they do such a thing?

#7

Several reasons, in fact:

  • Not logging in as root is generally seen as a good security practice
  • Use SSHFS / SFTP to transfer files, when other protocols are not available or desired

And that’s just the 2 use reasons that are (or actually, were) valid for my small home deployment. I can imagine larger organizations have additional reasons for being able to login as non-root users.

Maybe UCS has improved so much since 2019 that these requirements can now be easily met in a more elegant fashion. Do share your thoughts and perhaps I’ll try UCS again.

#8

I know, I was more referring to the fact that they have made it “difficult” to make and use a non-privileged user…

I am sure there are valid reasons to do so, they are just beyond my comprehension…

I am not exactly sure what you mean about the use cases and if UCS has become better in that way since 2019, I don´t know… But to me it seems like a super nice system they have made, and truly admirable that they are gifting it to us :slight_smile:

#9

This helped me tremendously as I had been struggling for months to get both master and backup nodes to talk to each other after a hypervisor crash and I just had to include the “Domain Controllers” group in this way and it was solved! Thanks A LOT!!!

Mastodon