TrueNAS Scale SSH password not working for users other than admin

Hello!

As said in the title I’m not able to ssh into truenas with and user different that admin.
I created a new user “test_user” and a group “ssh_with_password”.

I think I enabled all the settings to use ssh with password but it never works:
ssh test_user@truenas.local
keeps asking for password (like if the inserted password is wrong).

Here some logs (not too clear to me):

admin@truenas:~$ sudo cat /var/log/auth.log | tail -n 1
Nov 20 17:59:52 truenas sshd[429464]: error: PAM: User not known to the underlying authentication module for test_user from 192.168.0.137

I tried to restart ssh service and also rebooted truenas, but nothing. Also tried to give the “ssh_with_password” group as primary group to the user, no luck.

I’m on ElectricEel-24.10.0.2

Attaching screenshots showing all my setting. (Once I undertsand how!)



Thanks!

Instead of using unreliable DNS names like that, which you likely don’t even have registered in your DNS server, nor is it recommended to use .local (it’s reserved for mDNS), use the actual IP address of your TrueNAS server like so:
ssh test_user@192.168.0.x

This way, we know for sure you are connecting to the correct machine.

I used the ip for my test, I just reported here the same command using hostname.

This indicates that authentication attempt was made for an unknown user. Maybe double-check that you’ve logged into the webui of correct server (IP address, not using mDNS name).

If server is right for both UI access and SSH access, double-check the user exists getent passwd test_user on TrueNAS.

I use password login in my system. You do now have to use a “Password Login Groups” group. Just setting “Password login enabled” is enough. Not that it solves your problem, just as a FYI.

Can you check the following command (just making sure that your passwd file looks correct):

  • getent passwd test_user

EDIT: an unknown user shoudn’t even give a password prompt. not sure what’s the issue with pam.

Have you globally enabled 2FA? This can also impact ability to SSH in with just username/password (2FA becomes mandatory for SSH username/password auth).

Is this accurate? An unknown user should definitely get a password prompt in the same way a known user would.
Anything else would be an information leak.

Semi-accurate. More precise, only users with ssh password authentication enabled get a password prompt.

Non-existing users and users without ssh password authentication enabled get the same error:

$ ssh invaliduser@truenas
invaliduser@192.168.0.29: Permission denied (publickey).

$ ssh root@truenas
root@192.168.0.29: Permission denied (publickey).
1 Like
admin@truenas:~$ getent passwd test_user
test_user:x:3501:4000:test user:/var/empty:/usr/bin/bash

I also tried assigning a home folder from a pool but no difference…

Yes, I guess is globally. I need 2fa when ssh using “admin” user and when logging in the web interface.

it ask for password always in my case, also with a non-existing user… Should I set something ?

Then it sounds like everything is behaving as intended. If you want to use test_user for SSH access then you’ll need to do one or more of following:

  1. configure key-based authentication (preferred way of doing this)
  2. configure 2FA (for test_user)

I filed a jira ticket NAS-132659 for backend to raise a validation error message if you try to enable password auth for a user without 2FA configured if 2FA is enabled for SSH service. Our documentation already explains these things, but it doesn’t hurt to make things more explicit.

Could you elaborate a bit more on what to do ?
configure key-based authentication (preferred way of doing this) means I cannot use password to connect ?
configure 2FA (for test_user) how ? I do not see any 2fa config in the used config panel…

s/can/should

Generally you shouldn’t be using passwords with SSH. That advice has been around for decades, and so has documentation for how to do it (key-based authentication) :slight_smile: