NIS - netgroup

Vadim Pushkin wiskbroom at
Thu Apr 27 00:49:36 EST 2006


Yes to both, here are what my config and related system files look like, but 
I think that I have tried just about every variation possible, not sure 
about the pam.conf though.

Using the scenario below, I am able to sucessfuly login as root from *any* 
host to serverA. This is true because the remote host is using a valid key 
that is contained witin serverA's authorized_keys file. So what I am looking 
to do is to precede netgroups prior to auth by authorized_keys, does this 
make any sense?

Thank you Tim and all!


LDD Output On My SSHD:
root at serverA#: /tmp=>  ldd /usr/local/sbin/sshd =>   /usr/lib/ =>    /usr/lib/ =>  /usr/lib/ =>    /usr/lib/ =>  /usr/lib/ =>   /usr/lib/ =>     /usr/lib/ =>   /usr/lib/ =>   /usr/lib/ =>    /usr/lib/

HostKey /etc/ossh/ssh_host_key
HostKey /etc/ossh/ssh_host_rsa_key
HostKey /etc/ossh/ssh_host_dsa_key
PermitRootLogin yes
AllowGroups trustedusers ntadmins
AuthorizedKeysFile      %h/.ssh/authorized_keys
IgnoreRhosts no
UsePAM yes
PrintMotd no
PidFile /var/run/
Banner /etc/ossh/banner
Subsystem       sftp    /usr/libexec/sftp-server

My roots .rhosts and .shosts files (They are the same on serverA):
- at nontrustedhosts
+ at trustedhosts

Hosts Within The trustedhosts netgroup(verified by doing a ypcat:
trustedhosts (host1,-,) (host2,-,) (host3,-,)

Hosts Within The nontrustedhosts netgroup:
nontrustedhosts (hostx,-,) (hosty,-,) (hostz,-,)

My /etc/pam.conf file, the one thing that I am uncertain of:
login   auth requisite
login   auth required
login   auth required
login   auth required
rlogin  auth sufficient
rlogin  auth requisite
rlogin  auth required
rlogin  auth required
dtlogin auth requisite
dtlogin auth required
dtlogin auth required
sshd auth requisite
sshd auth required
sshd auth sufficient
sshd account required
rsh     auth sufficient
rsh     auth required
other   auth requisite
other   auth required
other   auth required
login   account requisite
login   account required
login   account required
dtlogin account requisite
dtlogin account required
dtlogin account required
other   account requisite
other   account required
other   account required
other   session required
other   password required
other   password requisite
other   password requisite
other   password required
dtsession       auth requisite
dtsession       auth required
dtsession       auth required
ppp     auth requisite
ppp     auth required
ppp     auth required
ppp     auth    required
ppp     account requisite
ppp     account required
ppp     account required
ppp     session required
passwd  auth required
cron    account required

Perinent portion of /etc/nsswitch.conf:
netgroup:   nis # I've tried also file and files nis (files by copying to 
local file on serverA)

>From: Tim Rice <tim at>
>To: Vadim Pushkin <wiskbroom at>
>CC: openssh-unix-dev at
>Subject: Re: NIS - netgroup
>Date: Tue, 25 Apr 2006 14:37:38 -0700 (PDT)

>On Tue, 25 Apr 2006, Vadim Pushkin wrote:
> > Hello;
> >
> > Sorry for the crosspost/repost, but I am getting desparate here.
> >
> > I am having difficulties setting up ssh (ossh4.3p2 - NIS 
>-Solaris8/Sparc) to
> > authenticate and allow ossh access based on NIS netgroup.  So, users 
> > host should be from a valid netgroup triple, contained within the ossh
> > servers .rhosts, .shosts, hosts.equiv and/or shosts.equiv.
> >
> > I am having alot of trouble getting NIS netgroup to work with my current
> > sshd_config, and I've tried just about everything...
> >
> > My environment is pure NIS, no LDAP, at least not for the next year.
>I don't use NIS here, just LDAP.
>Did you compile openssh with PAM support?
>Do you have "UsePAM yes" in your sshd_config?
> >
> > Again, many thanks in advance,
> >
> > .vp
>Tim Rice				Multitalents	(707) 887-1469
>tim at

More information about the openssh-unix-dev mailing list