User is prompted to enter their password twice when connecting to an ESXi host via SSH
Article ID: 345168
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
- After upgrading an ESXi 5.x host to ESXi 6.0 or ESXi 6.5 you are prompted for a password twice when connecting via SSH.
- You do not see an error after the first entry of the password and you are immediately prompted for a password a second time.
- You are able to login after entering the password for the second time.
- In the /var/run/log/auth.log, you see two pam_sm_authentication failures:
CConnection from 1.1.1.1 port 63936[module:pam_lsass]pam_sm_authenticate: failed [error code:40017] <---First[module:pam_lsass]pam_sm_authenticate: failed [error code:40017] <---SecondAccepted keyboard-interactive/pam for root from 1.1.1.1 port 63936 ssh2pam_unix(sshd:session): session opened for user root by (uid=0)Session opened for 'root' on /dev/char/pty/t0Timeout, client not responding.pam_unix(sshd:session): session closed for user rootSession closed for 'root' on /dev/char/pty/t0
- If a host is joined to an Active Directory domain, there should only be one pam_lsass failure for a successful local account login.
- The/etc/pam.d/system-auth-generic file on the ESXi host contains two pam_lsass.so entries for account and auth.
auth required /lib/security/$ISA/pam_deny.so
Cause
This issue occurs because of a change in the PAM parameter to support authentication of local users using a smart card. A new PAM entry is added without updating or removing the original entry.
Resolution
This issue is resolved in VMware ESXi 6.0 Patch Release 5 and ESXi 6.5 U1, available at VMware Patch Downloads. For more information on downloading patch, see How to download patches in Customer Connect (1021623).
To prevent this issue from happening, disjoin the ESXi host from the domain prior to upgrading.
To prevent this issue from happening, disjoin the ESXi host from the domain prior to upgrading.
Once the upgrade is complete you can rejoin the host to the domain.
For hosts that have already been upgraded:
For hosts that have already been upgraded:
- Disjoin the host from the domain. This should remove the two pam_lsass.so smartcard_prompt entries.
- Remove the old pam_lsass.so entries from /etc/pam.d/system-auth-generic:
- vi to /etc/pam.d/system-auth-generic
#%PAM-1.0
account sufficient /lib/security/$ISA/pam_lsass.so <---Delete this line
account sufficient /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_deny.so
auth sufficient /lib/security/$ISA/pam_lsass.so <---Delete this line
auth sufficient /lib/security/$ISA/pam_unix.so try_first_pass likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
session sufficient /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_deny.so
- Rejoin the host to the domain
- The file should now look like :
#%PAM-1.0
account sufficient /lib/security/$ISA/pam_lsass.so smartcard_prompt
account sufficient /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_deny.so
auth sufficient /lib/security/$ISA/pam_lsass.so smartcard_prompt
auth sufficient /lib/security/$ISA/pam_unix.so try_first_pass likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
session sufficient /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_deny.so
Additional Information
Feedback
Yes
No
Powered by
