SRX Services Gateway
SRX Services Gateway

SSH Login Failure: pam_unix: pam_sm_authenticate: UNIX authentication refused (from Internal Interfaces only)

‎03-05-2019 04:07 AM

Hello All, I have weird issues going on with my SRX300-[15.1X49-D170.4] .. I have a user login 'admin' that can log in fine through the PUBLIC interface, but not the internal interface.. This configuration came from a SRX240 for which I just replaced. I changed all the configuration that it didn't like such as vlan.X to irb.X and all the DHCP changes. Plug the device in and all the rules and tunnels came up find. The only thing that doesn't work is logging in via ssh to an internal interface in my trust zone. Not sure how the SSH login process differs based on the interface your logging into? 

 

Everything I've seen has been related to root access. I have the same issue with that account as in the above example as well. I did noticed that updated passwords had a longer hash key, so I updated the password on the admin account to match. Still have same issue. I haven't rebooted the device with fear of it locking out all accounts on all interfaces. I have checked:

 

show system login lockout
User accounts not locked

 

>>>>>> Logging to the device via internal IP address

Using username "admin".
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
pam_unix: pam_sm_authenticate: UNIX authentication refused

Access denied
Using keyboard-interactive authentication.
Password:

 

>>>>>> Logging to the device via external public IP.

Using username "admin".
Using keyboard-interactive authentication.
Password:
Last login: Tue Mar 5 05:59:13 2019 from XX.XX.XX.XX
--- JUNOS 15.1X49-D170.4 built 2019-02-22 22:34:42 UTC
admin@XXXXX.SRX300>

 

I can log into the web interface internally fine with the same admin account as well. Not sure what to look out to be honest. 

5 REPLIES 5
SRX Services Gateway

Re: SSH Login Failure: pam_unix: pam_sm_authenticate: UNIX authentication refused (from Internal Interfaces only)

‎03-05-2019 07:50 AM

Hello,

 

Since you are able to login from one interface and not from another. I would start by logging at zone level settings for host-inbound services, to check if ssh is allowed.

 

> Compare the "show security zones security-zone <External> & show security zones security-zone <Internal>

> SSH needs to be explicitly allowed or you could also allow services all

    > set security zone security-zone Internal host-inbound-traffic system-services all   OR

    > set security zone security-zone Internal host-inbound-traffic system-services ssh

> Here are some related threads:

https://forums.juniper.net/t5/SRX-Services-Gateway/how-to-configure-SSH-or-web-management-to-connect...

 

> Related documentation: Section on "Specify allowed host-inbound traffic for a zone or interface"

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16647&actp=METADATA

 

I hope this helps.

 

Regards,

 

Vikas

SRX Services Gateway

Re: SSH Login Failure: pam_unix: pam_sm_authenticate: UNIX authentication refused (from Internal Interfaces only)

‎03-05-2019 07:59 AM

Hello,

 

Apologies, since you are able to get to the login prompt, it means the host-inbound services are setup correctly.

 

You can try logging out some active sessions and trying again.

> show system users

> request system logout user <username>

 

Regards,

 

Vikas

SRX Services Gateway

Re: SSH Login Failure: pam_unix: pam_sm_authenticate: UNIX authentication refused (from Internal Interfaces only)

‎03-05-2019 02:41 PM

No one else logged in at the moment.. Not sure how something from an OS level would effect users logging into device. I can see if your going to shell via root or something. Something specific to the inbound interface accepting the connection and the OS PAM module is effecting this is my guess..? Maybe a bug? 

SRX Services Gateway

Re: SSH Login Failure: pam_unix: pam_sm_authenticate: UNIX authentication refused (from Internal Interfaces only)

‎03-05-2019 02:48 PM

set system services ssh

<<<<< EXTERNAL >>>>>>

set security zones security-zone PUBLIC screen untrust-screen
set security zones security-zone PUBLIC host-inbound-traffic system-services ssh
set security zones security-zone PUBLIC host-inbound-traffic system-services ping
set security zones security-zone PUBLIC interfaces ge-0/0/0.0

<<<<< INTERNAL >>>>>>

set security zones security-zone GREEN host-inbound-traffic system-services all
set security zones security-zone GREEN interfaces irb.1001 host-inbound-traffic system-services all
set security zones security-zone GREEN interfaces ge-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone GREEN interfaces ge-0/0/3.0 host-inbound-traffic protocols all

 

SRX Services Gateway
Solution
Accepted by topic author cwilson
‎03-05-2019 03:10 PM

Re: SSH Login Failure: pam_unix: pam_sm_authenticate: UNIX authentication refused (from Internal Interfaces only)

‎03-05-2019 03:10 PM

OK OK OK ... I'm an idiot.. In my SSH management for this one particular connection, I had another device IP in the configuration, I've been working with that clients devices that its IP just stuck in my head. There is NO problem, I was connecting to the wrong device for which the admin account had a different password. 

 

So, if there is a wall of shame for bonehead misstakes, please place me at the top !!!!

 

Sorry, I really feel bad.