Re: Connection closing on AIX 5.1 - UPDATE

From: Doug Summers (dsummers2_at_cox.net)
Date: 01/28/04 

Date: Tue, 27 Jan 2004 16:13:15 -0800

Darren Tucker wrote:

> In article <McARb.5185$fD.1578@fed1read02>,
> Doug Summers <dsummers2@cox.net> wrote:
>
>>Using OpenSSH 3.7.1-p2 from Darren Tucker's page...
>>
>>I have a mixed environment of Solaris 8/9, RedHat Linux 7.3/9.0, and AIX
>>4.3.3/5.1. All are using the version listed above of OpenSSH. I am
>>trying to setup public-key authentication for myself so I can login
>>without a password for scripting. My home directory is NFS-mounted to
>>all systems. All user ID's are supplied by NIS (passwords are locked)
>>and normal (telnet) authentication is done by AFS. On every system
>>(except AIX 5.1) this works.
>>
>>Here is the client-side debug log:
>
> [snip snip]
>
>>Failed to set process credentials
>
>
> That's setpcred() failing.
>
> Is your accounts' "password registry" set to NIS or AFS?
>
> There's something funky going on with setpcred and NIS. (So far the
> reports are for AIX 5.1 ML4 and 5.2 ML2, I would be interested to know
> which ML you have.) I don't know if it's a problem in the NIS module or
> not, but I have opened an OpenSSH bug for this and will probably put a
> workaround for this in:
> http://bugzilla.mindrot.org/show_bug.cgi?id=796
>
> Right now, the only workaround I have is to recompile sshd after
> commenting out "#define HAVE_SETAUTHDB 1" in config.h. This may result
> in successful and failed logins not being recorded to back-end databases
> (eg LDAP).
>
No luck using "registry = NIS"; I get the same errors. BTW, this error
happens whether I try to use public keys or passwords.

Relevant Pages

  • Problems w/NIS Clients in Compat Mode
    ... I'm using OpenAFS for authentication and using NIS to push out the password maps. ... I'm using NIS compat mode, using netgroups to specify user account access to each machine. ... The problem with this is that they expire, causing the system to ask to change it (I don't want any local passwords). ... I'm specifically using NIS because it won't expire passwords; this is being controlled on the OpenAFS server side. ...
    (comp.os.linux.misc)
  • Re: Sparc Solaris NIS client Linux NIS server
    ... >> I'll check over the nsswitch.conf and verify that its right. ... >> insecurities with NIS. ... If "shadow" passwords are enabled properly, ... once I get the authentication working I will ...
    (comp.os.linux.setup)
  • Re: authentication question
    ... NIS has several problems. ... their passwords in the clear. ... in this case, though as when windows clients send encrypted passwords, ... > and have everything else authenticate off that. ...
    (RedHat)
  • Re: overcome NIS
    ... > AFAIK, NIS doesn't transmit passwords over the network, ... It does when changeing passwords (although there are workarounds to this, ... > so each machine can use the hashes to authenticate. ... They need not even sniff the wire for this ...
    (comp.os.linux.security)
  • Re: Importing data?
    ... > which doesn't involve having to reenter all user passwords, ... need to write your own PAM module. ... To migrate users from NIS to Kerberos, you should be able to use ... a Kerberos account is created ...
    (comp.protocols.kerberos)