nis user authentication issue

[prayatn]

Hi,
I have trouble in authenticating NIS login. Here is the description of the problem.
$ ypcat password
shows the list of NIS accounts.
$ su - <nis_user>
This works fine and user becomes <nis_user>

But when I try to login using ssh <nis-user>@localhost.
It connects to the localhost and then display :
Connection to localhost closed

When I try to login using nis user on console, it shows the same behaviour i.e. it doesn't allow nis user to login.

I think during authentication time it fails. Some setting need to be done in /etc/pam.d/sshd and /etc/pam.d/login file.

I was browsing the issues. What kind of authentication needs to be setup for NIS?

I have another machine in same network which has FC2 and it works fine there.

Regards,
Basant.

[huw-l]

if you want to find out why ssh is failnig here is a handy way to debug it.

as root at the console of the machine you are having trouble with:

/etc/init.d/sshd stop
/usr/sbin/sshd -d

this runs sshd in debug mode so that it prints out lots of messages.

Try to ssh in from the remote machine and see what errors you get.

[prayatn]

Here is the sshd log. For personal reasons, I have changed the IP address and hostname and nis_user_name

debug1: sshd version OpenSSH_4.3p2

debug1: read PEM private key done: type RSA

debug1: private host key: #0 type 1 RSA

debug1: read PEM private key done: type DSA

debug1: private host key: #1 type 2 DSA

debug1: rexec_argv[0]='/usr/sbin/sshd'

debug1: rexec_argv[1]='-d'

debug1: Bind to port 22 on ::.

Server listening on :: port 22.

debug1: Bind to port 22 on 0.0.0.0.

Bind to port 22 on 0.0.0.0 failed: Address already in use.

debug1: Server will not fork when running in debugging mode.

debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7

debug1: inetd sockets after dupping: 3, 3

Connection from 10.1.1.10 port 60739

debug1: Client protocol version 2.0; client software version OpenSSH_4.3

debug1: match: OpenSSH_4.3 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.3

debug1: permanently_set_uid: 74/74

debug1: list_hostkey_types: ssh-rsa,ssh-dss

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received

debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT

debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: KEX done

debug1: userauth-request for user nis_user_name service ssh-connection method none

debug1: attempt 0 failures 0

Failed none for nis_user_name from 10.1.1.10 port 60739 ssh2

debug1: userauth-request for user nis_user_name service ssh-connection method gssapi-with-mic

debug1: attempt 1 failures 1

debug1: PAM: initializing for "nis_user_name"

debug1: PAM: setting PAM_RHOST to "hostname.domainname"

debug1: PAM: setting PAM_TTY to "ssh"

debug1: Miscellaneous failure
No such file or directory


Failed gssapi-with-mic for nis_user_name from 10.1.1.10 port 60739 ssh2

debug1: userauth-request for user nis_user_name service ssh-connection method gssapi-with-mic

debug1: attempt 2 failures 2

Failed gssapi-with-mic for nis_user_name from 10.1.1.10 port 60739 ssh2

debug1: userauth-request for user nis_user_name service ssh-connection method publickey

debug1: attempt 3 failures 3

debug1: test whether pkalg/pkblob are acceptable

debug1: temporarily_use_uid: 140067/10 (e=0/0)

debug1: trying public key file /home/nis_user_name/.ssh/authorized_keys

debug1: matching key found: file /home/nis_user_name/.ssh/authorized_keys, line 1

Found matching DSA key: 7b:08:74:d9:82:52:dc:bc:d1:e3:83:88:ca:e9:74:90

debug1: restore_uid: 0/0

Postponed publickey for nis_user_name from 10.1.1.10 port 60739 ssh2

debug1: userauth-request for user nis_user_name service ssh-connection method publickey

debug1: attempt 4 failures 3

debug1: temporarily_use_uid: 140067/10 (e=0/0)

debug1: trying public key file /home/nis_user_name/.ssh/authorized_keys

debug1: matching key found: file /home/nis_user_name/.ssh/authorized_keys, line 1

Found matching DSA key: 7b:08:74:d9:82:52:dc:bc:d1:e3:83:88:ca:e9:74:90

debug1: restore_uid: 0/0

debug1: ssh_dss_verify: signature correct

debug1: do_pam_account: called

Accepted publickey for nis_user_name from 10.1.1.10 port 60739 ssh2

debug1: monitor_child_preauth: nis_user_name has been authenticated by privileged process

Accepted publickey for nis_user_name from 10.1.1.10 port 60739 ssh2

debug1: temporarily_use_uid: 140067/10 (e=0/10)

debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism

debug1: restore_uid: 0/10

PAM: pam_open_session(): Cannot make/remove an entry for the specified session

debug1: PAM: reinitializing credentials

debug1: permanently_set_uid: 140067/10

debug1: Entering interactive session for SSH2.

debug1: server_init_dispatch_20

debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384

debug1: input_session_request

debug1: channel 0: new [server-session]

debug1: session_new: init

debug1: session_new: session 0

debug1: session_open: channel 0

debug1: session_open: session 0: link with channel 0

debug1: server_input_channel_open: confirm session

debug1: server_input_channel_req: channel 0 request x11-req reply 0

debug1: session_by_channel: session 0 channel 0

debug1: session_input_channel_req: session 0 req x11-req

debug1: server_input_channel_req: channel 0 request pty-req reply 0

debug1: session_by_channel: session 0 channel 0

debug1: session_input_channel_req: session 0 req pty-req

debug1: Allocating pty.

debug1: session_new: init

debug1: session_new: session 0

debug1: session_pty_req: session 0 alloc /dev/pts/8

debug1: server_input_channel_req: channel 0 request env reply 0

debug1: session_by_channel: session 0 channel 0

debug1: session_input_channel_req: session 0 req env

debug1: server_input_channel_req: channel 0 request shell reply 0

debug1: session_by_channel: session 0 channel 0

debug1: session_input_channel_req: session 0 req shell

debug1: PAM: setting PAM_TTY to "/dev/pts/8"

debug1: Setting controlling tty using TIOCSCTTY.

debug1: Received SIGCHLD.

debug1: session_by_pid: pid 2697

debug1: session_exit_message: session 0 channel 0 pid 2697

debug1: session_exit_message: release channel 0

debug1: session_by_tty: session 0 tty /dev/pts/8

debug1: session_pty_cleanup: session 0 release /dev/pts/8

debug1: session_by_channel: session 0 channel 0

debug1: session_close_by_channel: channel 0 child 0

debug1: session_close: session 0 pid 0

debug1: channel 0: free: server-session, nchannels 1

Connection closed by 10.1.1.10

debug1: do_cleanup

debug1: PAM: cleanup

Closing connection to 10.1.1.10

debug1: PAM: cleanup

[prayatn]

I solved the issue. In nsswitch.conf, passwd was looking into nisplus before nis. So after I removed the nisplus it worked. I think in FC2 or before nisplus was not available on client side so it was working fine in FC2.

Thanks,
Prayatn