0

I have a RHEL9 server where I ran the RHEL9 CIS ansible-lockdown role and configured it so that root can ssh in (yes I know, will be remedied in the future). The system is doing something very strange. After reboot, I can not paste the ssh password into the terminal, it only lets me in if I type it out. As soon as any ssh session has been created, I CAN paste the password into the ssh prompt and it lets me in just fine. Here are logs showing the attempts. Note that the same password was in the clipboard the whole time, so I absolutely did not fat-finger the root password.

Jul 15 15:55:13 myhost sshd[1738]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.8  user=root
# ^password pasted
Jul 15 15:55:20 myhost sshd[1738]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
# ^password typed
Jul 15 15:55:21 myhost sshd[1738]: pam_unix(sshd:session): session closed for user root
Jul 15 15:55:24 myhost sshd[1937]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
# ^password pasted

I found someone posted something similar here: https://forums.rockylinux.org/t/weird-ssh-issue-on-9-3-ssh-login-fails-until-another-user-logs-in/13489/2 but there was no explanation and no fix. This isn't really a good setup for me since the generated passwords are very long and complex. One thing I notice is that the PID of sshd changed, but that hasn't helped me diagnose the issue. In the other forum there's no mention of CIS hardening, and I don't have another test system where I want to try a fresh install, so I'm not sure if it's due to the lockdown.

Any ideas?

Edit 1: once ANY user has logged in, in any way (like with ssh key), then pasting the password also works. So it does not have to be entered manually once, the requirement is someone (anyone) has to log in once, then pasted passwords work.

Edit 2: like the person in the link it is related to the terminal, I was using SecureCRT. When I ssh using regular command prompt, the pasted password works immediately after reboot. I would prefer to find a real reason for this, because this seems to be specific to RHEL9, and in this environment SecureCRT is the app that users are provided.

Edit 3: successfully sshing from a different terminal does NOT fix the password paste issue in SecureCRT. You still have to connect once from SecureCRT and after that you can reconnect by pasting a password. (and I mean really reconnect, no ControlMaster)

Improve this question
5
  • Try putting a wrong password first, then paste in the right one on the second try. Maybe it's some kind of timing issue, and it needs time to load libraries. Or does it only work if you do a right password twice? Commented Jul 15 at 21:01
  • It won't accept the pasted password at all until there has been a successful login. Original post updated. Commented Jul 16 at 6:45
  • If I'm reading your update correctly, this seems to be an issue with SecureCRT? You need to experiment some more to see exactly what SecureCRT needs before it will paste passwords correctly. Check if SecureCRT has some kind of trace option where it can log what it does, and compare a log with a pasted password vs a typed one. Commented Jul 16 at 17:44
  • From the other link I found before posting the question it seems that Konsole has the same issue. I have had very little luck debugging anything related to SecureCRT. Also it seems that both of these clients only have this problem with very specific redhat versions, and only under certain circumstances. Commented Jul 18 at 9:50
  • Sorry, I don't know. And it doesn't seem like anyone else does either. If it were me I would do a custom build of sshd that logs passwords and see what exactly is happening with a failed login. I know that's extra work for you, but I don't have any other suggestions. Commented Jul 18 at 18:26

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.