We have a cluster with a front node that admits normal users and LDAP users. Two days ago the ssh show a strange behavior:
- The LDAP users can't login in the front node using password
- but, The LDAP users can login if they setup ssh-key in authorized_keys
- normal users (No LDAP, /etc/passwd ones) can login without problems
- Other services using the same LDAP server works right
So, I think is a problem located in the front node. The LDAP appears to work, using getent [passwd|shadow] command we are getting all users.
At the same time, the ssh show a warning/error when we login from this node to other nodes. But it allow the ssh anyway:
[root@frontnode ~]# ssh othernode
/etc/ssh/ssh_config line 50: Unsupported option "GSSAPIAuthentication"
[root@othernode ~]#
Also, When I restart the ssh daemon, we have also errors related to GSSAPI:
[root@frontnode ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 97: Unsupported option UsePAM
[ OK ]
No one changed ssh configuration, neither sshd configuration. And was working until now. We don't know what the problem is.
The login node is a Scientific Linux release 6.2 (redhat based)
It looks like sshd or some libraries got changed on the front node.
The
UsePAMoption is what would allow you to login with LDAP stored passwords.Troubleshooting steps
/var/log/yum.logfor any package changes.Cleanup
Now that you have determined that there is a rootkit, you need to ensure that everyone changes their passwords and recommend that they change their passwords on other sites, too.
The safest option for cleanup is to reinstall and restore from a backup before this started. You can never really know if some seemingly innocuous file got modified and will reinfect after you clean up.