Symptoms:
- After upgrading an ESXi 5.x host to ESXi 6.0 or ESXi 6.5 you are prompted for a password twice when connecting via SSH.
- You do not see an error after the first entry of the password and you are immediately prompted for a password a second time.
- You are able to login after entering the password for the second time.
- In the /var/run/log/auth.log, you see two pam_sm_authentication failures:
CConnection from 1.1.1.1 port 63936
[module:pam_lsass]pam_sm_authenticate: failed [error code:40017] <---First
[module:pam_lsass]pam_sm_authenticate: failed [error code:40017] <---Second
Accepted keyboard-interactive/pam for root from 1.1.1.1 port 63936 ssh2
pam_unix(sshd:session): session opened for user root by (uid=0)
Session opened for 'root' on /dev/char/pty/t0
Timeout, client not responding.
pam_unix(sshd:session): session closed for user root
Session closed for 'root' on /dev/char/pty/t0
- If a host is joined to an Active Directory domain, there should only be one pam_lsass failure for a successful local account login.
- The/etc/pam.d/system-auth-generic file on the ESXi host contains two pam_lsass.so entries for account and auth.
auth required /lib/security/$ISA/pam_deny.so