NIS - netgroup

Vadim Pushkin wiskbroom at hotmail.com
Thu Apr 27 00:49:36 EST 2006 

Greetings;

Yes to both, here are what my config and related system files look like, but 
I think that I have tried just about every variation possible, not sure 
about the pam.conf though.

Using the scenario below, I am able to sucessfuly login as root from *any* 
host to serverA. This is true because the remote host is using a valid key 
that is contained witin serverA's authorized_keys file. So what I am looking 
to do is to precede netgroups prior to auth by authorized_keys, does this 
make any sense?

Thank you Tim and all!

Vadim

LDD Output On My SSHD:
-----------------------------------
root at serverA#: /tmp=>  ldd /usr/local/sbin/sshd
        libpam.so.1 =>   /usr/lib/libpam.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libresolv.so.2 =>  /usr/lib/libresolv.so.2
        librt.so.1 =>    /usr/lib/librt.so.1
        libsocket.so.1 =>  /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libcmd.so.1 =>   /usr/lib/libcmd.so.1
        libaio.so.1 =>   /usr/lib/libaio.so.1
        libmp.so.2 =>    /usr/lib/libmp.so.2
        /usr/platform/SUNW,Sun-Blade-1000/lib/libc_psr.so.1

SSHD_CONFIG On serverA:
------------------------------------
HostKey /etc/ossh/ssh_host_key
HostKey /etc/ossh/ssh_host_rsa_key
HostKey /etc/ossh/ssh_host_dsa_key
PermitRootLogin yes
AllowGroups trustedusers ntadmins
AuthorizedKeysFile      %h/.ssh/authorized_keys
IgnoreRhosts no
UsePAM yes
PrintMotd no
PidFile /var/run/sshd.pid
Banner /etc/ossh/banner
Subsystem       sftp    /usr/libexec/sftp-server


My roots .rhosts and .shosts files (They are the same on serverA):
------------------------------------------------------------------------------------------
- at nontrustedhosts
+ at trustedhosts


Hosts Within The trustedhosts netgroup(verified by doing a ypcat:
------------------------------------------------------------------------------------------
trustedhosts (host1,-,) (host2,-,) (host3,-,)


Hosts Within The nontrustedhosts netgroup:
---------------------------------------------------------
nontrustedhosts (hostx,-,) (hosty,-,) (hostz,-,)


My /etc/pam.conf file, the one thing that I am uncertain of:
----------------------------------------------------------------------------------
login   auth requisite    pam_authtok_get.so.1
login   auth required     pam_dhkeys.so.1
login   auth required     pam_unix_auth.so.1
login   auth required     pam_dial_auth.so.1
rlogin  auth sufficient   pam_rhosts_auth.so.1
rlogin  auth requisite    pam_authtok_get.so.1
rlogin  auth required     pam_dhkeys.so.1
rlogin  auth required     pam_unix_auth.so.1
dtlogin auth requisite    pam_authtok_get.so.1
dtlogin auth required     pam_dhkeys.so.1
dtlogin auth required     pam_unix_auth.so.1
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd account required pam_unix_account.so.1
rsh     auth sufficient   pam_rhosts_auth.so.1
rsh     auth required     pam_unix_auth.so.1
other   auth requisite    pam_authtok_get.so.1
other   auth required     pam_dhkeys.so.1
other   auth required     pam_unix_auth.so.1
login   account requisite       pam_roles.so.1
login   account required        pam_projects.so.1
login   account required        pam_unix_account.so.1
dtlogin account requisite       pam_roles.so.1
dtlogin account required        pam_projects.so.1
dtlogin account required        pam_unix_account.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
other   session required        pam_unix_session.so.1
other   password required       pam_dhkeys.so.1
other   password requisite       pam_authtok_get.so.1
other   password requisite       pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
dtsession       auth requisite   pam_authtok_get.so.1
dtsession       auth required    pam_dhkeys.so.1
dtsession       auth required    pam_unix_auth.so.1
ppp     auth requisite    pam_authtok_get.so.1
ppp     auth required     pam_dhkeys.so.1
ppp     auth required     pam_unix_auth.so.1
ppp     auth    required        pam_dial_auth.so.1
ppp     account requisite       pam_roles.so.1
ppp     account required        pam_projects.so.1
ppp     account required        pam_unix_account.so.1
ppp     session required        pam_unix_session.so.1
passwd  auth required     pam_passwd_auth.so.1
cron    account required        pam_unix_account.so.1

Perinent portion of /etc/nsswitch.conf:
-----------------------------------------------------
netgroup:   nis # I've tried also file and files nis (files by copying to 
local file on serverA)

>From: Tim Rice <tim at multitalents.net>
>To: Vadim Pushkin <wiskbroom at hotmail.com>
>CC: openssh-unix-dev at mindrot.org
>Subject: Re: NIS - netgroup
>Date: Tue, 25 Apr 2006 14:37:38 -0700 (PDT)

>On Tue, 25 Apr 2006, Vadim Pushkin wrote:
>
> > Hello;
> >
> > Sorry for the crosspost/repost, but I am getting desparate here.
> >
> > I am having difficulties setting up ssh (ossh4.3p2 - NIS 
>-Solaris8/Sparc) to
> > authenticate and allow ossh access based on NIS netgroup.  So, users 
>and/or
> > host should be from a valid netgroup triple, contained within the ossh
> > servers .rhosts, .shosts, hosts.equiv and/or shosts.equiv.
> >
> > I am having alot of trouble getting NIS netgroup to work with my current
> > sshd_config, and I've tried just about everything...
> >
> > My environment is pure NIS, no LDAP, at least not for the next year.
>
>I don't use NIS here, just LDAP.
>
>Did you compile openssh with PAM support?
>Do you have "UsePAM yes" in your sshd_config?
>
> >
> > Again, many thanks in advance,
> >
> > .vp
>
>--
>Tim Rice				Multitalents	(707) 887-1469
>tim at multitalents.net

More information about the openssh-unix-dev mailing list