OpenSSH public key problem with Solaris 10 and LDAP users?

Alexander Skwar listen at alexander.skwar.name
Wed Aug 15 16:52:42 EST 2007 

Peter Stuge <stuge-openssh-unix-dev at cdy.org> wrote:

> On Tue, Aug 14, 2007 at 03:43:04PM +0200, Alexander Skwar wrote:
>> Yep. Public Key auth is certainly auth without a password :) But
>> why don't I get this message, when I login with a good user?
> 
> Again - something is different for those users, somewhere.

Of course! I'm not denying this ;) One set of users is able
to use passwordless entry, while the other set of users is
not able to do this. That's of course quite a difference *g*

>> >> Anyway. Still looks like PAM / LDAP issue.
>> > 
>> > Yes, it is.
>> 
>> With a strange coincidence with SSH.
> 
> OpenSSH introduces a lot of third-party PAM code to a system so it's
> not all that strange.
> 
> 
>> > Something is different in the LDAP data stored for the users,
>> > probably because of how they were created.
> 
>> I copied the new user, using the data from a working user.
> 
> So that's one way.
> 
> 
>> I also tried to create a new user "from scratch".
> 
> That's two.
> 
> Possibly the working users were created in bulk (three) or just using
> different versions of some software (four).

Well, as long as the LDAP database has the same contents, it doesn't
make a difference on how the data was "poured" into it, I'd think. But
I don't know that.

It's like if there were a difference, when you create a user by
doing "vi /etc/passwd" compared to "echo blah:blah:blah >> /etc/passwd".
The result is the same. Confusing.

> Creating new users the 
> exact same way as the working users were created should still
> succeed though.

Will try that. But I very highly doubt, that this makes a difference
at all. After all, it's just a different way to fill that database.

...

Okay. Done. Original way was, that I used the PADL Migration Tools,
which convert /etc/passwd et.al. to LDIF files which then have to
be ldapadd'ed to the LDAP database. I just did that, and as was
to be expected, there was no difference whatsoever. Result:
With yet another newly created test user, I'm able to SSH login 
using a password. Passwordless entry using pubkey doesn't work.

> If you get that far, you get to reverse engineer what 
> is actually going on to find the difference.

Yep. If I'd only be able to get that far... :\

>> Having a look at the LDIF exports, I cannot see any differences.
> 
> But this is not the whole truth. There's a lot of software involved
> in writing and reading that data, some of it may implement a policy
> according to something else than the data in the LDIF export.

But the LDAP database is the sole source of information. There
is nothing else (well, there's of course still a mostly empty
/etc/passwd and /etc/group, but there's nothing in those files
for the new users and there's also nothing in there for the
old and working users).

>> Anyway. Probably really a LDAP thing.
> 
> Can you test if these users are allowed through when someone else
> than OpenSSH uses PAM to do passwordless logins? Any server is good.

What server should I try?

> My guess is that the problem is with writing to LDAP, rather than
> reading from it.

I doubt that. In LDAP, there's no difference between the non-working
users and the working users. At least not, as far as I can tell.

Thanks a lot though,
Alexander Skwar

More information about the openssh-unix-dev mailing list