Regular user is unable to login via ssh

When I try login via ssh to centos7 container I immediately get message “Connection closed”.
At the same time logging as root via ssh works.

In /var/log/secure:

Feb 21 15:35:47 c1 sshd[1439]: Accepted password for user from ::1 port 32834 ssh2
Feb 21 15:35:47 c1 sshd[1439]: pam_loginuid(sshd:session): Cannot open /proc/self/loginuid: Permission denied
Feb 21 15:35:47 c1 sshd[1439]: pam_loginuid(sshd:session): set_loginuid failed
Feb 21 15:35:47 c1 sshd[1439]: pam_unix(sshd:session): session opened for user user by (uid=0)
Feb 21 15:35:47 c1 sshd[1439]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Feb 21 15:35:47 c1 sshd[1449]: Received disconnect from ::1 port 32834:11: disconnected by user
Feb 21 15:35:47 c1 sshd[1449]: Disconnected from ::1 port 32834
lxc image show 39b6fec53513
    auto_update: true
    properties:
      architecture: amd64
      description: Centos 7 amd64 (20190221_07:09)
      os: Centos
      release: "7"
      serial: "20190221_07:09"
    public: false
lxc version 
Client version: 3.10
Server version: 3.10

Editing “session required pam_loginuid.so” in /etc/pam.d/sshd helps, but maybe exists some better solution?

No, that unfortunately sounds about right. We used to have that fix in our images, it may be that switching to our new image build machinery dropped that workaround somehow, I’ll look at adding it back.

Actually, looks like we do have the mitigation for this already in place, starting the current image, I’m seeing:

[root@centos7 ~]# grep -r loginuid /etc/
/etc/pam.d/remote:# session    required     pam_loginuid.so
/etc/pam.d/crond:# session    required   pam_loginuid.so
/etc/pam.d/login:# session    required     pam_loginuid.so

I suspect the problem is that when you install sshd, it installs the new pam.d/ssh file with the same problem… Unfortunately there’s not much we can do about this, maybe something worth reporting back to CentOS to see if there’s something they can do.

1 Like

Is there a more verbose answer for this? I will look around and see if I can add to this answer.

Just comment out the line with the

“session required pam_loginuid.so” in /etc/pam.d/sshd

Anyway , this is’t a LXC or LXD problem this is an upsteam image problem from what I understand.