RHEL: Users unable to login via SSH

titanic4u · September 30, 2011, 10:15am

removing the post

robo · September 30, 2011, 10:52am

Sep 28 14:26:07 ************* kernel:  [<ffffffff802141ed>] sock_aio_read+0x4f/0x5e
Sep 28 14:26:07 ************* kernel:  [<ffffffff8000cb14>] do_sync_read+0xc7/0x104
Sep 28 14:26:07 ************* kernel:  [<ffffffff8003c00e>] hrtimer_start+0xbc/0xce
Sep 28 14:26:07 ************* kernel:  [<ffffffff8009db21>] autoremove_wake_function+0x0/0x2e
Sep 28 14:26:07 ************* kernel:  [<ffffffff8004356f>] sys_rt_sigreturn+0x323/0x356
Sep 28 14:26:07 ************* kernel:  [<ffffffff8000b406>] vfs_read+0xde/0x171
Sep 28 14:26:07 ************* kernel:  [<ffffffff800117d4>] sys_read+0x45/0x6e
Sep 28 14:26:07 ************* kernel:  [<ffffffff8005d28d>] tracesys+0xd5/0xe0
Sep 28 14:26:07 ************* kernel:
Sep 28 14:26:07 ************* kernel: oracle        S ffffffff80148c54     0 14603      1         14605 14601 (NOTLB)
Sep 28 14:26:07 ************* kernel:  ffff810269695bb8 0000000000000086 ffffffff800539bd ffff810930e12d40
Sep 28 14:26:07 ************* kernel:  ffff810930e12d40 000000000000000a ffff81052669d040 ffff81058e254820
Sep 28 14:26:07 ************* kernel:  000d94b2d3a4c4aa 00000000000049d2 ffff81052669d228 0000000500000000
Sep 28 14:26:07 ************* kernel: Call Trace:
Sep 28 14:26:07 ************* kernel:  [<ffffffff800539bd>] tcp_rtt_estimator+0xcf/0x113
Sep 28 14:26:07 ************* kernel:  [<ffffffff800638f0>] schedule_timeout+0x1e/0xad
Sep 28 14:26:07 ************* kernel:  [<ffffffff80064be1>] _spin_lock_bh+0x9/0x14
Sep 28 14:26:07 ************* kernel:  [<ffffffff80030850>] release_sock+0x13/0xaa
Sep 28 14:26:07 ************* kernel:  [<ffffffff80216909>] sk_wait_data+0x81/0xbf
Sep 28 14:26:07 ************* kernel:  [<ffffffff8009db21>] autoremove_wake_function+0x0/0x2e
Sep 28 14:26:07 ************* kernel:  [<ffffffff80064be1>] _spin_lock_bh+0x9/0x14
Sep 28 14:26:07 ************* kernel:  [<ffffffff8001d0b7>] tcp_recvmsg+0x422/0xb1f

check for your system generated core messages

find . -type f -regex ".*/core\.[0-9][0-9][0-9][0-9]$"

also use dmesg

Tommyk · September 30, 2011, 11:35am

when you say they were unable to log in via ssh, were they unable to connect to the box (as in no login prompt) or were they connecting and not being able to use their username and passwd to log in?

If they could get a login prompt please post the output of /var/log/secure for the 28th (might be in secure 1 or 2 depending on log file rotation). (please blank out any usernames or information relating to your server's setup such as I.P.s)

If they could not get a login prompt check /var/adm/boot.log to see if the ssh service was stopped or started on/around that day. Could it have been a fire wall issue preventing access via ssh to that box?

jabalv · September 30, 2011, 11:48am

Check:

Tommyk · September 30, 2011, 12:01pm

Quote:
 	 		 			 				tail -50 /var/log/secure 			 		 	 	 
	   		  		  		  		  		  		 			 			 			 			 				[![](upload://xWLfA7OTTqlHbAU2fxJ9sSQYDOy.gif)](http://www.unix.com/newreply.php?do=newreply&p=302560640)

Not exactly, for a start his logs may have been rotated and it might be in /var/log/secure1
Also, it may be beyong the 50th line, considering he said this was 2 days ago if the box has a few users on this would be more than 50 lines back.

titanic4u · September 30, 2011, 12:09pm

removing the post

Tommyk · September 30, 2011, 12:28pm

well, looks like a simple case of bad password to me.