PAM authentication on solaris (with openssh-3.7.1p2) is not quite right

From: Neil W Rickert (rickert+nn_at_cs.niu.edu)
Date: 12/21/03 

Date: Sun, 21 Dec 2003 03:55:41 +0000 (UTC)

Background:

 I am using nis+ on our solaris 8 systems. Home directories are
 NFS mounted with secure nfs (requires the nisplus credentials).

If I use ssh to login to a client machine, all is fine.

If I use ssh to login to one of our servers, there are problems.
Specifically, the credentials have not been properly registered with
keyserv, and as a result NFS mounted home directories are not
accessible. I can use the "keylogin" command to correct the
problem.

On the client machine, the shadow data is not accessible without the
credentials. Presumably because of this, the PAM routines properly
establish credentials so that they can get the shadow data to
validate the password.

On the server machines, the root user can access the shadow data
without credentials first being established. Apparently this
shortcut route is used, causing the problem.

sshd_config contains

UsePAM yes

It makes no difference whether I set "PasswordAuthentication no".
Either way, challenge response authentication is used.

By way of comparison, "rlogin" does work properly on either client or
server. Here "server" means a nis+ server that is in the admin
nisplus group.

The relevant auth entries from pam.conf

rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1

other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1

Since there was nothing relevant in ".rhosts" in my tests with
rlogin, I would have thought both should behave the same.

  ----------

Test procedure:

  First login to the server, and use: keylogout
   (this de-registers credentials)

  Next try to login with ssh
       try to login with rlogin

  After each login, check whether credentials are registered with
  keyserv . The simplest check is to try accessing a secure-nfs
  mounted file system.

Relevant Pages

  • "cannot write to db file"
    ... Users login via an asp.net login control ... actual development server when you try to login, ... credentials* you get the error "cannot write to db file". ... why the good credentials get rejected if there;s no successful write. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Problem with Passwords
    ... "This server could not verify that you are authorized to access the document requested. ... Either you supplied the wrong credentials, or your browser doesn't understand how to supply the credentials required. ... I can, however, access the section with the login and password from work, so I know the login and password are still active, and I can get into Hotmail still without any problem. ... Can anyone maybe suggest if the erased files is the problem? ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Cant use WM6 to access network shares
    ... Do the servers Event Viewer logs give any clues as to why the login attempt ... So this seems to be some kind of issue w/ server shares and WM6? ... Can get to about any other share on the network. ... credentials screen I would see if I tried to connect to the share using ...
    (microsoft.public.pocketpc.wireless)
  • RE: Login from Internet
    ... \par - You would like to know how to prevent a user not log on the site from Internet if he didn't input his domain credential. ... \par Microsoft Online Partner Support ... \par Subject: Login from Internet ... they get prompted for their credentials again. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Securing static files
    ... Dominick Baier - DevelopMentor ... they are kicked back to the login page. ... The user may log in with other credentials. ...
    (microsoft.public.dotnet.framework.aspnet.security)