tags:

views:

528

answers:

1

Hello,

i have a working solaris 10 server with ssh and NIS using the following configuration:

# /etc/nsswitch.conf
passwd:     files nis
group:      files nis

and

# /etc/ssh/sshd_config
 Protocol 2
 Port 22
 ListenAddress ::
 AllowTcpForwarding no
 GatewayPorts no
 X11Forwarding yes
 X11DisplayOffset 10
 X11UseLocalhost yes
 PrintMotd no
 KeepAlive yes
 SyslogFacility auth
 LogLevel info
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 ServerKeyBits 768
 KeyRegenerationInterval 3600
 StrictModes yes
 LoginGraceTime 600
 MaxAuthTries       6
 MaxAuthTriesLog    3
 PermitEmptyPasswords yes
 PasswordAuthentication yes
 PAMAuthenticationViaKBDInt yes
 PermitRootLogin yes
 Subsystem  sftp    /usr/lib/ssh/sftp-server
 IgnoreRhosts yes
 RhostsAuthentication no
 RhostsRSAAuthentication no
 RSAAuthentication yes

Now, i want to switch to compat mode:

# /etc/nsswitch.conf
passwd:     compat
group:      files nis

I added a few users to:

# /etc/passwd
+luke:x:::::

ran pwvcon and then password authentification for user luke doesn't not work anymore (while public-key is still OK).

Is there something wrong with my setup ?

+1  A: 

From passwd(4):

If a +name entry has a non-null password [..] the value of that field overrides what is contained in the alternate naming service.

Can you see if removing the "x" in the passwd-column and running pwconv again helps?

Edit: the first guess was totally off, see comments, so here's another guess -- I can't break my Sun's config just now, sorry ;)

ShiDoiSi
That's not what i understand from the manpage `Valid only for passwd and group; implements "+" and "-". See Interaction with +/- syntax.`. How would you then authorize only local accounts + a bunch of NIS accounts ?
Benoît
Drat, I should have waited until I went back to work, of course you're right and I got it the wrong way round, "files nis" doesn't need the +.
ShiDoiSi
Yep, that's it. When adding a login to `/etc/passwd`, password has to be set to empty. Then `pwconv` updates it and `/etc/shadow`, adding a `x` password and an empty shadow entry `+luke::::::`.Thank you.
Benoît