OpenSSH3.0p1/PAM/Sol8

Dost, Alexander Alexander.Dost at drkw.com
Fri Nov 9 04:47:01 EST 2001


Yes, I get the error messages (illegal option shadow/nodelay).
I removed the entry and, as you said, they are just ignored, nothing
changed.
One additional piece of information: If I use NIS+ for password
authentication/changing, all works fine.

Alex

#
# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

passwd:     files
group:      files
hosts:      dns files
ipnodes:    files
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files	
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will 
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:	user files

auth_attr:  files
prof_attr:  files
project:    files

> -----Original Message-----
> From:	Ed Phillips [SMTP:ed at UDel.Edu]
> Sent:	Thursday, November 08, 2001 18:34
> To:	Dost, Alexander
> Cc:	openssh-unix-dev at mindrot.org
> Subject:	RE: OpenSSH3.0p1/PAM/Sol8
> 
> On Thu, 8 Nov 2001, Dost, Alexander wrote:
> 
> > Date: Thu, 8 Nov 2001 18:01:52 +0100
> > From: "Dost, Alexander" <Alexander.Dost at drkw.com>
> > To: 'Ed Phillips' <ed at UDel.Edu>
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: RE: OpenSSH3.0p1/PAM/Sol8
> >
> > I imported the example from the contrib directory for generic unix.
> > sshd is running as root.
> >
> > Alex
> >
> > pam.conf:
> > #
> > #ident	"@(#)pam.conf	1.16	01/01/24 SMI"
> > #
> > # Copyright (c) 1996-2000 by Sun Microsystems, Inc.
> > # All rights reserved.
> > #
> > # PAM configuration
> > #
> > # Authentication management
> > #
> > login	auth required 	/usr/lib/security/$ISA/pam_unix.so.1
> > login	auth required 	/usr/lib/security/$ISA/pam_dial_auth.so.1
> > sshd	auth required	/usr/lib/security/$ISA/pam_unix.so shadow
> nodelay
> 
> Not that it matters, but "shadow" and "nodelay" are not arguments that are
> recognized by pam_unix.so.1 according to "man pam_unix".
> 
> > #
> > rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> > rlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1
> > #
> > dtlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1
> > #
> > rsh	auth required	/usr/lib/security/$ISA/pam_rhosts_auth.so.1
> > other	auth required	/usr/lib/security/$ISA/pam_unix.so.1
> > #
> > # Account management
> > #
> > login	account requisite
> /usr/lib/security/$ISA/pam_roles.so.1
> > login	account	required
> /usr/lib/security/$ISA/pam_projects.so.1
> > login	account required	/usr/lib/security/$ISA/pam_unix.so.1
> > sshd	account required	/usr/lib/security/$ISA/pam_unix.so.1
> 
> Looks fine.
> 
> > #
> > dtlogin	account requisite
> /usr/lib/security/$ISA/pam_roles.so.1
> > dtlogin	account	required
> /usr/lib/security/$ISA/pam_projects.so.1
> > dtlogin	account required	/usr/lib/security/$ISA/pam_unix.so.1
> > #
> > other	account requisite
> /usr/lib/security/$ISA/pam_roles.so.1
> > other	account	required
> /usr/lib/security/$ISA/pam_projects.so.1
> > other	account required	/usr/lib/security/$ISA/pam_unix.so.1
> > #
> > # Session management
> > #
> > sshd	session	required	/usr/lib/security/$ISA/pam_unix.so.1
> 
> Looks fine.
> 
> > other	session required	/usr/lib/security/$ISA/pam_unix.so.1
> > #
> > # Password management
> > #
> > sshd	password required	/usr/lib/security/$ISA/pam_unix.so
> shadow
> > nullok use_authtok
> 
> Again, these are not supported arguments according to "man pam_unix".
> However, they should just be ignored.  You should get syslog messages to
> auth.err about these options though.  Did you see any?
> 
> > other	password required	/usr/lib/security/$ISA/pam_unix.so.1
> > dtsession auth required	/usr/lib/security/$ISA/pam_unix.so.1
> > #
> > # Support for Kerberos V5 authentication (uncomment to use Kerberos)
> 
> Hmmmm... what does your /etc/nsswitch.conf file look like?
> 
> 	Ed
> 
> Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> Systems Programmer III, Network and Systems Services
> finger -l ed at polycut.nss.udel.edu for PGP public key


If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to
http://www.drkw.com/disc/email/ or contact the sender.



More information about the openssh-unix-dev mailing list