NIS, PAM, OpenSSH. Seems to work perfectly (one minor concern)

paul at paul at
Thu Mar 9 01:17:33 EST 2000

I just spent some time trying to figure out how to get OpenSSH to work
correctly with NIS and PAM. It seems to work fine, apart from one minor
worry I still have (see below).
Feedback about grave security risks are welcome :)

This is using RedHat 6.1 with updates and the OpenSSH 1.2.2p1-1 RPM's on
the NIS server as well as the client.

In short, my configuration is:


passwd:     compat
group:      compat
shadow:     files nis

in /etc/passwd I added:

+ at staff::::::


auth       required     /lib/security/
auth       required     /lib/security/
auth       required     /lib/security/
account    required     /lib/security/
password   required	/lib/security/
password   required     /lib/security/
session    required     /lib/security/


auth       required     /lib/security/ shadow nodelay
auth       required     /lib/security/
account    required     /lib/security/
password   required     /lib/security/
password   required     /lib/security/ shadow nullok use_authtok
session    required     /lib/security/
session    required     /lib/security/

I'm not using MD5 (Though I thought I was, must have been caused by a RedHat

I'm using the default /etc/ssh settings

In this setup, I can login as the local users. The NIS users in the netgroup
staff can login fine, and NIS users not in that netgroup get /bin/nologin.
Users have a shared homedir, and the ones that have done:
cat .ssh/ >> .ssh/authorized_keys
can also not login when not in the stafdf netgroup.
And when NIS isn't running, it nicely fakes authlookup for NIS users (any
non local users actually) and local users can still nicely login. Excellent!

Now, in the above case where a user is not a member of the netgroup, I
tried to execute a command using ssh:

ssh -l test host /bin/date

The client gives me:
debug: Trying RSA authentication with key 'paul at host'
debug: Received RSA challenge from server.
debug: Sending response to host key RSA challenge.
debug: Remote: RSA authentication accepted.
debug: RSA authentication accepted by server.
debug: Sending command: /bin/date
debug: Entering interactive session.
  SSH_CLIENT= 622 22
You have no login on this machine, go away.

and the server:
debug: Starting up PAM with username "paul"
debug: Attempting authentication for paul.
Accepted rsa for paul from port 622
debug: PAM setting rhost to "localhost"
debug: Executing command '/bin/date'
debug: PAM establishing creds
debug: Entering interactive session.
debug: Received SIGCHLD.
debug: End of interactive session; stdin 0, stdout (read 44, sent 44), stderr
179 bytes.
debug: Command exited with status 0.
debug: Received exit confirmation.
Closing connection to

Mar  8 15:09:45 bofh sshd[2356]: Accepted rsa for paul from port 622
Mar  8 15:10:48 bofh sshd[2356]: Closing connection to
Mar  8 15:10:48 bofh PAM_pwdb[2356]: (sshd) session closed for user paul

My question is if it is possible to change /etc/pam.d/ssh so that the session
can still be disallowed. It doesn't seem to execute /bin/date but it's trying
much to hard imho.
One solution would be ofcourse only to put those netgroup/users in that are
allowed to have a login, but for instance that won't work nicely on the mail
server, where all accounts need to exist, and the users are not allowed to

But, I'm quite pleased with OpenSSH within the NIS/Pam/Linux environment as it
is right now. Cheers to those that deserve it :)

PS. On a side note, the previous version I tried OpenSSH-1.2.1pre11
didn't work.

More information about the openssh-unix-dev mailing list