HPE Community
Operating System - HP-UX
1825756 Members
2297 Online
109687 Solutions
New Discussion

Syslog message (PAM error)

 
Starrynight_1
Advisor

‎11-27-2001 07:06 AM

‎11-27-2001 07:06 AM

Syslog message (PAM error)

Hello everyone

Every 5 minutes I am receiveing this message on syslog.log file:

Nov 27 14:55:26 pthp28 remshd[13710]: PAM Status - 28, PAM Error Message - Accou
nt is disabled - see Account Administrator

I can see that this problem is related with an action done by remote shell. I just can??t see what is causing it.
As the message has an interval of exactly 5 minutes I??ve checked the crontab. I found this script that has a line with the word "remshd". That line is:

echo "file = rbootd,telnet*,ftp*,*rlogin*,remsh*,rcp,nktl*,nvsisr,ttisr"

But, since it is an echo I can not see any relation with the message.

Anyone can help?

Thank??s in advance
0 Kudos
Reply
5 REPLIES 5
Duncan Edmonstone
HPE Pro

‎11-27-2001 07:18 AM

‎11-27-2001 07:18 AM

Re: Syslog message (PAM error)

This could be coming from another node - if you turn on inetd logging you should see which one:

inetd -l

will enable logging into syslog

HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎11-27-2001 07:21 AM

‎11-27-2001 07:21 AM

Re: Syslog message (PAM error)

Hi,

This is realted to authenticate a current user.

Do a man on pam for more details.

Goodluck,
-USA..
Good Luck..
0 Kudos
Reply
Steven Gillard_2
Honored Contributor

‎11-27-2001 07:48 AM

‎11-27-2001 07:48 AM

Re: Syslog message (PAM error)

A remote system is attempting to run a command via remsh using an account that has been disabled (ie has a '*' in the password field of /etc/passwd).

Turn on inetd logging just before the next connection and you'll see where its coming from. If you need more information such as what username and command is being used, use nettl to obtain a network trace of the remsh traffic.

Regards,
Steve
0 Kudos
Reply
Starrynight_1
Advisor

‎11-27-2001 09:07 AM

‎11-27-2001 09:07 AM

Re: Syslog message (PAM error)

Unfortunatelly I ran the command inetd -l and nothing happened. The message is still the same!
I can??t also see how the pam command can help me to identify the user and the host that is trying to make the conection...
Can you guys be more specific, please?

SN
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

‎11-27-2001 09:18 AM

‎11-27-2001 09:18 AM

Re: Syslog message (PAM error)

So you don't see anything like this in your syslog...
Nov 27 17:16:03 dilbert inetd[826]: Connection logging enabled
Nov 27 17:16:08 dilbert inetd[20221]: shell/tcp: Connection from dogbert (10.0.0.1) at Tue Nov 27 17:16:08 2001

Just before your PAM error message?

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.