11 Replies Latest reply: Apr 13, 2011 4:53 AM by 854724 RSS

    NIS client configuration, error login in ssh

    854724
      Hi there, I am trying to work with NIS client authentication in Solaris 10.

      it's seems all connected fine but I can't connect by ssh (putty) to the server using credentials from NIS

      I put ssh in debug mode


      debug1: userauth-request for user ukqa service ssh-connection method none
      debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
      debug2: input_userauth_request: setting up authctxt for ukqa
      debug2: input_userauth_request: try method none
      debug1: userauth_banner: sent
      Failed none for ukqa from 10.15.5.41 port 51989 ssh2
      debug1: userauth-request for user ukqa service ssh-connection method keyboard-interactive
      debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
      debug2: input_userauth_request: try method keyboard-interactive
      debug1: keyboard-interactive devs
      debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
      debug2: Calling pam_authenticate()
      debug2: PAM echo off prompt: Password:
      debug2: Nesting dispatch_run loop
      debug1: got 1 responses
      debug2: Nested dispatch_run loop exited
      debug1: PAM conv function returns PAM_SUCCESS
      Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
      Failed keyboard-interactive for ukqa from 10.15.5.41 port 51989 ssh2
      debug1: userauth-request for user ukqa service ssh-connection method keyboard-interactive
      debug1: attempt 2 initial attempt 1 failures 2 initial failures 1
      debug2: input_userauth_request: try method keyboard-interactive
      debug1: keyboard-interactive devs
      debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
      debug2: Calling pam_authenticate()
      debug2: PAM echo off prompt: Password:
      debug2: Nesting dispatch_run loop
      Received disconnect from 10.15.5.41: 13: Unable to authenticate

      but it's connected with nis

      -bash-3.00# ypwhich
      ui-uk-nis1

      -bash-3.00# ypcat passwd | grep ukqa
      ukqa:x:1406:1000:UK QA User Group,,,:/home/ukqa:/bin/bash

      -bash-3.00# svcs | grep nis
      online 16:45:14 svc:/network/nis/client:default

      any ideas?
        • 1. Re: NIS client configuration, error login in ssh
          Nik
          Hi!
          Please show

          getent passwd ukqa
          more /etc/nsswitch.conf

          You say "all connectied fine". What work ?

          Regards.
          • 2. Re: NIS client configuration, error login in ssh
            854724
            -bash-3.00# getent passwd ukqa
            ukqa:x:1406:1000:UK QA User Group,,,:/home/ukqa:/bin/bash

            I get results

            -bash-3.00# more /etc/nsswitch.conf
            #
            # /etc/nsswitch.nis:
            #
            # An example file that could be copied over to /etc/nsswitch.conf; it
            # uses NIS (YP) in conjunction with files.
            #
            # "hosts:" and "services:" in this file are used only if the
            # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

            # NIS service requires that svc:/network/nis/client:default be enabled
            # and online.

            # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
            passwd: files nis
            group: files nis

            # consult /etc "files" only if nis is down.
            hosts: files dns

            # Note that IPv4 addresses are searched for in all of the ipnodes databases
            # before searching the hosts databases.
            ipnodes: nis [NOTFOUND=return] files

            networks: nis [NOTFOUND=return] files
            protocols: nis [NOTFOUND=return] files
            rpc: nis [NOTFOUND=return] files
            ethers: nis [NOTFOUND=return] files
            netmasks: nis [NOTFOUND=return] files
            bootparams: nis [NOTFOUND=return] files
            publickey: nis [NOTFOUND=return] files

            netgroup: nis

            automount: files nis
            aliases: files nis

            # for efficient getservbyname() avoid nis
            services: files nis
            printers: user files nis

            auth_attr: files nis
            prof_attr: files nis
            project: files nis
            • 3. Re: NIS client configuration, error login in ssh
              854724
              I can work with all yp commands but I can't login by ssh with any user of NIS
              • 4. Re: NIS client configuration, error login in ssh
                854724
                If I try to change the password from solaris

                -bash-3.00# yppasswd ukqa
                Enter ukqa's password:
                New Password:
                Re-enter new Password:
                passwd: password successfully changed for ukqa

                it works with NIS but still not working ssh login with this user.
                • 5. Re: NIS client configuration, error login in ssh
                  Nik
                  Hi.
                  What version of solaris?
                  What system used as NIS server? (Solaris, linux ?)
                  You use sshd bandled with solaris or install semself ?

                  what result for login ukqa

                  Regards.
                  • 6. Re: NIS client configuration, error login in ssh
                    854724
                    Hi.
                    What version of solaris?
                    Solaris 10

                    What system used as NIS server? (Solaris, linux ?)
                    Linux RedHat 5.6, NIS slave
                    It works fine with other linux

                    You use sshd bandled with solaris or install semself ?
                    Solaris install himself the package ssh. I didn't install any other software out of Solaris 10

                    what result for login ukqa
                    Error in password and in sshd -dd (debug mode)

                    "Hi there, I am trying to work with NIS client authentication in Solaris 10.

                    it's seems all connected fine but I can't connect by ssh (putty) to the server using credentials from NIS

                    I put ssh in debug mode

                    debug1: userauth-request for user ukqa service ssh-connection method none
                    debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
                    debug2: input_userauth_request: setting up authctxt for ukqa
                    debug2: input_userauth_request: try method none
                    debug1: userauth_banner: sent
                    Failed none for ukqa from 10.15.5.41 port 51989 ssh2
                    debug1: userauth-request for user ukqa service ssh-connection method keyboard-interactive
                    debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
                    debug2: input_userauth_request: try method keyboard-interactive
                    debug1: keyboard-interactive devs
                    debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
                    debug2: Calling pam_authenticate()
                    debug2: PAM echo off prompt: Password:
                    debug2: Nesting dispatch_run loop
                    debug1: got 1 responses
                    debug2: Nested dispatch_run loop exited
                    debug1: PAM conv function returns PAM_SUCCESS
                    Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
                    Failed keyboard-interactive for ukqa from 10.15.5.41 port 51989 ssh2
                    debug1: userauth-request for user ukqa service ssh-connection method keyboard-interactive
                    debug1: attempt 2 initial attempt 1 failures 2 initial failures 1
                    debug2: input_userauth_request: try method keyboard-interactive
                    debug1: keyboard-interactive devs
                    debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
                    debug2: Calling pam_authenticate()
                    debug2: PAM echo off prompt: Password:
                    debug2: Nesting dispatch_run loop
                    Received disconnect from 10.15.5.41: 13: Unable to authenticate

                    "
                    • 7. Re: NIS client configuration, error login in ssh
                      Nik
                      Hi.
                      By default Solaris use DES for encrypt password, Linux - use MD5.

                      So password can' not be verified.

                      Check: su - ukqa should be work.


                      For change password encryption:
                      Read and modify */etc/security/policy.conf*

                      Regards.
                      • 8. Re: NIS client configuration, error login in ssh
                        854724
                        Hi, if I do

                        su - ukqa and I put the password

                        -bash-3.00$ su - ukqa
                        Password:
                        su: Sorry

                        if I doing like root, works

                        -bash-3.00# su - ukqa
                        Oracle Corporation SunOS 5.10 Generic Patch January 2005
                        -bash-3.00$ pwd
                        /export/home/ukqa



                        /etc/policy.conf seems that permit md5


                        #
                        # Copyright 2008 Sun Microsystems, Inc. All rights reserved.
                        # Use is subject to license terms.
                        #
                        # /etc/security/policy.conf
                        #
                        # security policy configuration for user attributes. see policy.conf(4)
                        #
                        #ident "@(#)policy.conf 1.12 08/05/14 SMI"
                        #
                        AUTHS_GRANTED=solaris.device.cdrw
                        PROFS_GRANTED=Basic Solaris User

                        # crypt(3c) Algorithms Configuration
                        #
                        # CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
                        # be used for new passwords. This is enforced only in crypt_gensalt(3c).
                        #
                        CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6

                        # To deprecate use of the traditional unix algorithm, uncomment below
                        # and change CRYPT_DEFAULT= to another algorithm. For example,
                        # CRYPT_DEFAULT=1 for BSD/Linux MD5.
                        #
                        #CRYPT_ALGORITHMS_DEPRECATE=__unix__

                        # The Solaris default is the traditional UNIX algorithm. This is not
                        # listed in crypt.conf(4) since it is internal to libc. The reserved
                        # name __unix__ is used to refer to it.
                        #
                        CRYPT_DEFAULT=__unix__
                        #
                        # These settings determine the default privileges users have. If not set,
                        # the default privileges are taken from the inherited set.
                        # There are two different settings; PRIV_DEFAULT determines the default
                        # set on login; PRIV_LIMIT defines the Limit set on login.
                        # Individual users can have privileges assigned or taken away through
                        # user_attr. Privileges can also be assigned to profiles in which case
                        # the users with those profiles can use those privileges through pfexec(1m).
                        # For maximum future compatibility, the specifications should
                        # always include "basic" or "all"; privileges should then be removed using
                        # the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
                        # sys_linkdir privilege, regardless of future additional privileges.
                        # Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
                        # file_link_any privilege from the basic privilege set; only that notation
                        # is immune from a future addition of currently unprivileged operations to
                        # the basic privilege set.
                        # NOTE: removing privileges from the the Limit set requires EXTREME care
                        # as any set-uid root program may suddenly fail because it lacks certain
                        # privilege(s).
                        #
                        #PRIV_DEFAULT=basic
                        #PRIV_LIMIT=all
                        #
                        # LOCK_AFTER_RETRIES specifies the default account locking policy for local
                        # user accounts (passwd(4)/shadow(4)). The default may be overridden by
                        # a user's user_attr(4) "lock_after_retries" value.
                        # YES enables local account locking, NO disables local account locking.
                        # The default value is NO.
                        #
                        #LOCK_AFTER_RETRIES=NO
                        • 9. Re: NIS client configuration, error login in ssh
                          854724
                          I made this changes

                          # To deprecate use of the traditional unix algorithm, uncomment below
                          # and change CRYPT_DEFAULT= to another algorithm. For example,
                          # CRYPT_DEFAULT=1 for BSD/Linux MD5.
                          #
                          CRYPT_ALGORITHMS_DEPRECATE=__unix__

                          # The Solaris default is the traditional UNIX algorithm. This is not
                          # listed in crypt.conf(4) since it is internal to libc. The reserved
                          # name __unix__ is used to refer to it.
                          #
                          CRYPT_DEFAULT=1

                          I restarted ssh

                          svcadm restart ssh

                          and I still getting error

                          "Access Denied in Ssh"
                          • 10. Re: NIS client configuration, error login in ssh
                            854724
                            I check the configuration of NIS master server

                            # Should we merge the passwd file with the shadow file ?
                            # MERGE_PASSWD=true|false
                            MERGE_PASSWD=false

                            # Should we merge the group file with the gshadow file ?
                            # MERGE_GROUP=true|false
                            MERGE_GROUP=false


                            I don't think that this is the problem, only for give more information to try to solve the problem.
                            • 11. Re: NIS client configuration, error login in ssh
                              854724
                              changed in master NIS server

                              # Should we merge the passwd file with the shadow file ?
                              # MERGE_PASSWD=true|false
                              MERGE_PASSWD=true

                              # Should we merge the group file with the gshadow file ?
                              # MERGE_GROUP=true|false
                              MERGE_GROUP=true

                              compile again

                              make -C /var/yp

                              and now works...

                              Thanks for all resources and time used.