"Pre-authentication failed: Cannot read password"

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 8.9
  • Red Hat Enterprise Linux 9.3
  • sssd-2.9.1-4.el8_9.x86_64
  • sssd-2.9.1-4.el9_3.x86_64

Issue

  • After upgrading to RHEL 8.9 / sssd-2.9.1-4.el8_9.x86_64 we are seeing new error messages in the SSSD krb5_child.log file when using password authentication to login via ssh or sudo.
  • After upgrading to RHEL 9.3 / sssd-2.9.1-4.el9_3.x86_64 we are seeing new error messages in the SSSD krb5_child.log file when using password authentication to login via ssh or sudo.
  • Authentication works without issues. However, these messages fill /var/log/sssd/krb5_child.log
[Pre-authentication failed: Cannot read password]

Resolution

  • Add the following parameter to the [pam] section of /etc/sssd/sssd.conf
[pam]
pam_passkey_auth = False
  • Restart SSSD service
# systemctl restart sssd

Root Cause

  • In sssd-2.9.1 passkey authentication is enabled by default, pam_passkey_auth = True, which triggers the pre-authentication.

  • During pre-authentication and while negotiating which authentication methods are available for the user, the 'Cannot read password' message is expected and is shown at higher log levels for debugging purposes.

  • If there is only password authentication configured and there is no special prompting configured and when IPA is not used, this pre-authentication step is skipped. This is the case for sssd-2.8.2.

Diagnostic Steps

  • Upgrade to RHEL 8.9 / sssd-2.9.1-4.el8_9.x86_64

  • Use password authentication to login via SSH.

  • Check /var/log/sssd/krb5_child.log for the log messages.

   *  (2024-01-20 11:37:38): [krb5_child[2912385]] [sss_krb5_responder] (0x4000): [RID#465] Got question [password].
   *  (2024-01-20 11:37:38): [krb5_child[2912385]] [sss_krb5_prompter] (0x4000): [RID#465] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
   *  (2024-01-20 11:37:38): [krb5_child[2912385]] [sss_krb5_prompter] (0x4000): [RID#465] Prompt [0][Password for testuser\@EXAMPLE.COM@EXAMPLE.COM].
   *  (2024-01-20 11:37:38): [krb5_child[2912385]] [sss_krb5_prompter] (0x0200): [RID#465] Prompter interface isn't used for password prompts by SSSD.
   *  (2024-01-20 11:37:38): [krb5_child[2912385]] [sss_krb5_get_init_creds_password] (0x0020): [RID#461] 2173: [-1765328174][Pre-authentication failed: Cannot read password]
  • Additionally, downgrading to sssd-2.8.2-3.el8_8.x86_64 makes these messages go away.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments