Dear all,
I am using the ESXi free edition version 6.0.0 (2494585) and once a week I have a problem with the vSphere client which cannot connect to the ESXi host. I narrowed the problem down to the new feature to lock account using pam_tally in the case of failed logins.
The SSH port is protected by the ESXi hosts own firewall configured via host -> configuration -> Security profiles. There, I defined two IPs for SSH server and vSphere Web Client. Hence, I expect that only the configured IPs can connect to the server. In the auth.log I cannot see any other than the allowed IPs. The logins are cause by scripts that always use the same credentials but every Friday, the access is somehow blocked:
2015-10-30T09:39:35Z sshd[3067862]: pam_unix(sshd:session): session opened for user root by (uid=0)
2015-10-30T09:39:35Z sshd[3067861]: User 'root' running command 'some command'
2015-10-30T09:39:35Z sshd[3067862]: User 'root' running command 'some other command'
2015-10-30T09:39:35Z sshd[3067861]: Received disconnect from allowed IP: 11: disconnected by user
2015-10-30T09:39:35Z sshd[3067861]: pam_unix(sshd:session): session closed for user root
2015-10-30T09:39:35Z sshd[3067862]: Received disconnect from allowed IP: 11: disconnected by user
2015-10-30T09:39:35Z sshd[3067862]: pam_unix(sshd:session): session closed for user root
2015-10-30T09:44:34Z sshd[3069026]: Connection from allowed IP port 20228
2015-10-30T09:44:34Z sshd[3069027]: Connection from allowed IP port 20229
2015-10-30T09:44:34Z sshd[3069028]: pam_tally2(sshd:auth): user root (0) tally 117, deny 10
2015-10-30T09:44:34Z sshd[3069037]: pam_tally2(sshd:auth): user root (0) tally 118, deny 10
2015-10-30T09:44:36Z sshd[3069026]: error: PAM: Authentication failure for root from allowed IP
2015-10-30T09:44:36Z sshd[3069027]: error: PAM: Authentication failure for root from allowed IP
2015-10-30T09:44:36Z sshd[3069055]: pam_tally2(sshd:auth): user root (0) tally 120, deny 10
2015-10-30T09:44:36Z sshd[3069064]: pam_tally2(sshd:auth): user root (0) tally 121, deny 10
Do you have any idea what can cause this? I would like to add a dedicated user for each script to identify the cause. Can you tell me which privileges are required for a user to execute any shell script?
I keep seeing this and getting lockouts
2017-10-16T07:51:40Z ^T: pam_unix(openwsman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
2017-10-16T07:51:43Z ^T: pam_tally2(openwsman:auth): user root (0) tally 7869, deny 5
2017-10-16T07:51:43Z addVob[1256326]: Could not expand environment variable HOME.
2017-10-16T07:51:43Z addVob[1256326]: Could not expand environment variable HOME.
2017-10-16T07:51:43Z addVob[1256326]: DictionaryLoad: Cannot open file "/usr/lib/vmware/config": No such file or directory.
2017-10-16T07:51:43Z addVob[1256326]: DictionaryLoad: Cannot open file "~/.vmware/config": No such file or directory.
2017-10-16T07:51:43Z addVob[1256326]: DictionaryLoad: Cannot open file "~/.vmware/preferences": No such file or directory.
There are many protocol endpoints in vSphere that you can connect to, it's not limited only by SSH and Web Client.
If it happens on Friday, my guess maybe it has something to do with a backup solution connecting via vSphere APIs using wrong credentials?