#31 Users with registry=NIS cannot login

open
nobody
None
5
2013-11-20
2008-06-25
Kevin
No

(FYI: I posted this in the forum also.)

Under openssh 4.5 and 4.7 my users with registry=NIS cannot login.
Under openssh 3.7 and 4.3 they can.

In my /etc/security/user I have:

testuser:
SYSTEM = "compat"
registry = NIS

It is also true that if you have rolled your own authentication method,
as defined in /usr/lib/security/methods.cfg, you cannot login.

Users who have registry=files CAN login under all the mentioned versions.

Does anyone have any ideas? I am running AIX 5.2 with latest maintenance
applied (5200-10 Service Pack 5). This isn't a bleeding edge AIX problem
though. I tried this at an unsupported AIX 5.2 level first then upgraded
before asking anybody else.

I have included some trace data in hopes a person more knowledgeable than I
happens by.

Thanks, Kevin

----------------------------------------------------------------------------------------------------
Debug level 3 in the server shows this working login for a registry=files user:
------------------------
Accepted password for operator from 123.456.78.9 port 65316 ssh2
debug3: AIX/setauthdb set registry 'files'
debug1: AIX/loginsuccess: msg Last unsuccessful login: Wed Jun 18 21:03:26 2008 on ssh from xx.yy.zz
Last login: Tue Jun 24 14:26:07 2008 on /dev/pts/4 from aa.bb.cc

debug3: aix_restoreauthdb: restoring old registry ''
debug1: monitor_child_preauth: operator has been authenticated by privileged process
------------------------

Debug level 3 in the server shows this failing login for a registry=NIS user:
------------------------
Accepted password for testuser from 123.456.78.9 port 65401 ssh2
debug3: AIX/setauthdb set registry 'NIS'
debug3: aix_restoreauthdb: restoring old registry ''
debug1: monitor_child_preauth: testuser has been authenticated by privileged process

[Note: I think I'm already dead by here where the traces diverge. I added the
gap and this note for clarity. There are lots of log lines. After 24 more log
lines it is interesting that ssh lets me know "SSH_authsuccess" and then
abandons my connection "SSH_connabndn".]

debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 24
debug3: mm_request_receive entering
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: mm_auth_password: user authenticated
debug3: mm_send_keystate: Sending new keys: 2002de48 2002ca48
debug3: mm_newkeys_to_blob: converting 2002de48
debug1: comp->name:none
debug3: mm_newkeys_to_blob: converting 2002ca48
debug1: comp->name:none
debug3: mm_send_keystate: New keys have been sent
debug3: mm_send_keystate: Sending compression state
debug3: mm_request_send entering: type 24
debug3: mm_newkeys_from_blob: 20054768(118)
debug2: mac_setup: found hmac-md5
debug3: mm_get_keystate: Waiting for second key
debug3: mm_newkeys_from_blob: 20054768(118)
debug2: mac_setup: found hmac-md5
debug3: mm_get_keystate: Getting compression state
debug3: mm_get_keystate: Getting Network I/O buffers
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
debug3: mm_send_keystate: Finished sending state

[Ed: gap added for clarity]

debug1: audit event euid 0 user testuser event 2 (SSH_authsuccess)
debug1: Return Val-1 for auditproc:0
debug3: AIX/setauthdb set registry 'NIS'
debug2: User child is on pid 32122
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: audit event euid 0 user testuser event 12 (SSH_connabndn)
debug1: Return Val-1 for auditproc:0

------------------------

Discussion