tags:

views:

528

answers:

1
+1  Q: 

ssh with compat nis on solaris 10

Hello,

i have a working solaris 10 server with ssh and NIS using the following configuration:

# /etc/nsswitch.conf
passwd:     files nis
group:      files nis

and

# /etc/ssh/sshd_config
 Protocol 2
 Port 22
 ListenAddress ::
 AllowTcpForwarding no
 GatewayPorts no
 X11Forwarding yes
 X11DisplayOffset 10
 X11UseLocalhost yes
 PrintMotd no
 KeepAlive yes
 SyslogFacility auth
 LogLevel info
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 ServerKeyBits 768
 KeyRegenerationInterval 3600
 StrictModes yes
 LoginGraceTime 600
 MaxAuthTries       6
 MaxAuthTriesLog    3
 PermitEmptyPasswords yes
 PasswordAuthentication yes
 PAMAuthenticationViaKBDInt yes
 PermitRootLogin yes
 Subsystem  sftp    /usr/lib/ssh/sftp-server
 IgnoreRhosts yes
 RhostsAuthentication no
 RhostsRSAAuthentication no
 RSAAuthentication yes

Now, i want to switch to compat mode:

# /etc/nsswitch.conf
passwd:     compat
group:      files nis

I added a few users to:

# /etc/passwd
+luke:x:::::

ran pwvcon and then password authentification for user luke doesn't not work anymore (while public-key is still OK).

Is there something wrong with my setup ?

+1  A: 

From passwd(4):

If a +name entry has a non-null password [..] the value of that field overrides what is contained in the alternate naming service.

Can you see if removing the "x" in the passwd-column and running pwconv again helps?

Edit: the first guess was totally off, see comments, so here's another guess -- I can't break my Sun's config just now, sorry ;)

ShiDoiSi  2009-03-30 15:15:14
That's not what i understand from the manpage `Valid only for passwd and group; implements "+" and "-". See Interaction with +/- syntax.`. How would you then authorize only local accounts + a bunch of NIS accounts ?
Benoît  2009-03-30 18:06:40
Drat, I should have waited until I went back to work, of course you're right and I got it the wrong way round, "files nis" doesn't need the +.
ShiDoiSi  2009-03-31 02:31:05
Yep, that's it. When adding a login to `/etc/passwd`, password has to be set to empty. Then `pwconv` updates it and `/etc/shadow`, adding a `x` password and an empty shadow entry `+luke::::::`.Thank you.
Benoît  2009-04-01 08:51:45

related questions

Is there a better Java implementation of SSH2 than JSch?
Check out from a remote SVN repository TO a remote location?
Download files to local drive when sshed
Are there any good free .Net network libraries? (FTP, SFTP, SSH, etc.)
How do you install an ssh server on qnx?
How do I remove the passphrase for the SSH key without having to create a new key?
ssh-agent with passwords without spawning too many processes
Why does cisco IOS require domain-name to be set before SSH keys can be generated?
Setting the default ssh key location
Managing authorized_keys on a large number of hosts.
Inter-convertability of asymmetric key containers (eg: X.509, PGP, OpenSSH)
Which is the best way to bring a file from a remote host to local host over an SSH session?
Is it possible to forward ssh requests that come in over a certain port to another machine?
Can you have virtual users using an SFTP server?
Why does Vista complain about a dead process when I use Cygwin X11 ssh and how do I get it to shut up?
ssh hangs when command invoked directly, but exits cleanly when run interactive
Getting ssh to execute a command in the background on target machine
How do you use ssh in a shell script?
Avoid traffic shaping by using ssh on port 443
Alternative SSH Application to Plink
What are some good SSH Servers for windows?
Keep Remote Directory Up-to-date
Allow user to set up an SSH tunnel, but nothing else
How do I setup Public-Key Authentication?
Gtk SSH client for Linux?