[SOLVED] Re: OpenSSH public key problem with Solaris 10 and LDAP users?

Douglas E. Engert deengert at anl.gov
Fri Aug 17 02:51:01 EST 2007 


Alexander Skwar wrote:
> Douglas E. Engert <deengert at anl.gov> wrote:
>> Alexander Skwar wrote:
>>> Douglas E. Engert <deengert at anl.gov> wrote:
> 
>>>> the getpw.c program I sent yesterday should return (assuming the
>>>> username is not also in the local /etc/passwd file):
>>>> useranme:x:...
>>>> username:crypted-password:...
>>> Ah!
>>>
>>> --($:~/Source/pamtest)-- sudo ./getpw askwar
>>> STDC = __STDC__
>>> askwar:x:10001:10:Alexander
>>> Skwar,alexander.skwar at Exampleauto.com:/export/home/askwar:/opt/csw/bin/bash
>>> askwar:cd9--------psA:13503:-1:-1-1:-1:-1:0
>>>
>>> --($:~/Source/pamtest)-- sudo ./getpw testing
>>> STDC = __STDC__
>>> testing:x:54321:10:Alexander
>>> Skwar,alexander.skwar at Exampleauto.com:/export/home/testing:/opt/csw/bin/bash
>>> testing:*NP*:-1:-1:-1-1:-1:-1:0
>>>
>>> *NP* for testing? Why's that? Why's there a difference?
>>
>> This could be the problem. NP is used for OK to login if you can
>> authenticate some other way. *NP* may be considered locked,
>> as * is not a valid crypt character.
>>
>> Try using ldapmodify to change the password to {crypt}NP
>>
>> See of you can get the  phpLdapAdmin to add NP rather then *NP*
>> Or set some valid password.
> 
> Uhm - I DO have a valid password for the "testing" user. And
> as soon as I remove "askwar" from /etc/shadow, I also get *NP* (no
> password, I guess?) when I run getpw. Is that not the way you
> expect it to be?

No, I expect it to be NP not *NP*.

We use SSH with GSSAPI and the LDAP accounts use {crypt}NP
This works on Linux, Solaris 10 using the Solaris sshd, and older
Solaris systems using OpenSSH sshd.

The OpenSSH 4.5 src/sshd.0 talks about using locked accounts and NP or *NP*.

See the OpenSolaris source for pam says it can use *NP*:
http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/pam_modules/

But many of the sun blogs talk about NP. So OpenSolaris may have added *NP*
as well.

NP works for us from LDAP.



> 
> Alexander Skwar
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list