Non-root users cannot log in via SSH after upgrade to TrueNAS-13.0-U2

[whosmatt]

Upgraded from 12.0-U8 recently. Non-root users are now rejected for ssh login (password). The system logs the following message for each attempt:

fatal: Access denied for user username by PAM account configuration [preauth]

Any ideas? I can live without ssh for the most part except for a couple of backup jobs that rely on scp.

 

[whosmatt]

FWIW I fired up a brand new TrueNAS 13 VM and compared its /etc/pam.d/sshd with mine. The only differences are that mine has lines like:

password sufficient /usr/local/lib/pam_winbind.so try_first_pass krb5_auth krb5_ccache_type=FILE

presumably from being joined to my Active Directory.

I checked my SSHD settings in the gui and made sure "Allow Password Authentication" is set. Looked at my users and this is typical:

GID:​

1001

Home directory:​

/mnt/pool/user

Shell:​

/bin/csh

Email:​

N/A

Password Disabled:​

false

Lock User:​

false

Permit Sudo:​

false

Microsoft Account:​

false

Samba Authentication:​

true

 

[whosmatt]

Figured it out -- set "Samba Authentication" to false and now can SSH in just fine. Maybe this will help someone else.

 

[RogerCWB]

Figured it out -- set "Samba Authentication" to false and now can SSH in just fine. Maybe this will help someone else.

Thank you!!!!!!!!!!!!!!!

 

[Glorious1]

Figured it out -- set "Samba Authentication" to false and now can SSH in just fine. Maybe this will help someone else.

Pray tell - where exactly are the "SSHD settings in the gui"? Apparently not Services > SSH; I don't have those settings there.

EDIT: Nevermind, I found what you're talking about at Accounts > Users > <user> > Edit.
Unfortunately, turning off Samba authentication didn't fix my problem: I can log into SSH locally but not remotely. This has worked for years until recently.

 

[anodos]

Pray tell - where exactly are the "SSHD settings in the gui"? Apparently not Services > SSH; I don't have those settings there.

EDIT: Nevermind, I found what you're talking about at Accounts > Users > <user> > Edit.
Unfortunately, turning off Samba authentication didn't fix my problem: I can log into SSH locally but not remotely. This has worked for years until recently.

What's the exact error message? I'm not seeing this on my 13.0-U3.1 server.

 

[Glorious1]

What's the exact error message? I'm not seeing this on my 13.0-U3.1 server.

It must be something I've screwed up on my own. There is no error message at all, except attempt timed out. It's like the server just ignores the attempt to connect via SSH through the router. I'm connecting to an arbitrary high port number using duckdns for dynamic DNS. duckdns is getting the correct WAN IP and the port is forwarded to TrueNAS local IP.

I'm using public key authentication, and it works fine locally and used to remotely as well.

Remote attempt:

Code:

JimsMBPro:~ jim$ ssh -vvv -p 5***4 jim@t******e.duckdns.org
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/jim/.ssh/config
debug1: /Users/jim/.ssh/config line 12: Applying options for t*******e.duckdns.org
debug1: /Users/jim/.ssh/config line 18: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/jim/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/jim/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to t******e.duckdns.org port 5***4.
    [wait a few minutes . . .]
ssh: connect to host t******e.duckdns.org port 5***4: Operation timed out
JimsMBPro:~ jim$

The router is forwarding the port to the TrueNAS server, and SSH is set to use that port. I'm pretty sure the forwarding is working because when I go to https://portchecktool.com and enter my WAN IP (which duckdns has correct) and the port number, it shows open and service detected. When I turn SSH off in TrueNAS and try again, it shows the port closed.

I tried maxing out the log level of SSHD in TrueNAS (adding LogLevel DEBUG3 to Services > SSH > Advanced > Auxiliary Parameters), and there is no mention of any login attempt in any log I can find. If I log in locally, using TrueNAS's LAN IP (but same high port number), it works fine and auth.log shows plenty of stuff. I'm not showing the local login results because it is very long at any verbosity level.

EDIT: I updated to TrueNAS-13.0-U3.1, but it made no difference.

 

[Glorious1]

I'm traveling now and am able to remotely SSH into TrueNAS just fine. Apparently I can't do it from the local network, even though I am going through my dynamic DNS provider, so it must hit the router from the outside. I don't understand that. But at least it works when I need it to.