Migration of a container might fail if properties of the user
vzmigare not correct or SSH configuration does not allow to login using locked accounts. The log file
/var/log/messageson the source node contains the following error in this case:
Dec 22 23:28:12 sourcenode sshd: User vzmig not allowed because account is locked Dec 22 23:28:12 sourcenode sshd: input_userauth_request: invalid user vzmig Dec 22 23:28:12 sourcenode sshd: Connection closed by 10.10.10.10 Dec 22 23:28:12 sourcenode sshd: User vzmig not allowed because account is locked Dec 22 23:28:12 sourcenode sshd: Connection closed by 10.10.10.10
PAM is not enabled for SSH service, it is commented or set to "no" explicitly:
~# grep UsePAM /etc/ssh/sshd_config #UsePAM yes
vzmig is the special account with the specific shell binary.
~# getent passwd vzmig vzmig:x:500:501::/var/lib/vzmig:/usr/sbin/vzmpipe ~# getent shadow vzmig vzmig:!!:16062:0:99999:7:::
The exclamation mark in the beginning of the second field in the output of the last command means that the account is locked.
This account is created as locked to prevent unauthorized connection as this user, and authorization is performed by SSH keys only. The default PAM configuration allows to authenticate as this user with a valid SSH key.
There are few ways to resolve the situation:
- enable PAM authentication module for SSH server in the configuration file - set
UsePAMto "yes" and restart SSH service;
unlock the account and set up the strong password.
~# usermod -U vzmig ~# passwd vzmig
If PAM configuration for SSH service is altered in the file
/etc/pam.d/sshd, then you may need to revert some changes back to default to allow this user to login successfully.
Custom configuration for SSH service might cause other error:
- KB #119161 PVA migration: can not read reply from destination node.