PAM authentication on solaris (with openssh-3.7.1p2) is not quite right

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


 I am using nis+ on our solaris 8 systems.  Home directories are
 NFS mounted with secure nfs (requires the nisplus credentials).

If I use ssh to login to a client machine, all is fine.

If I use ssh to login to one of our servers, there are problems.
Specifically, the credentials have not been properly registered with
keyserv, and as a result NFS mounted home directories are not
accessible.  I can use the "keylogin" command to correct the

On the client machine, the shadow data is not accessible without the
credentials.  Presumably because of this, the PAM routines properly
establish credentials so that they can get the shadow data to
validate the password.

On the server machines, the root user can access the shadow data
without credentials first being established.  Apparently this
shortcut route is used, causing the problem.

sshd_config contains

UsePAM yes

It makes no difference whether I set "PasswordAuthentication no".
Either way, challenge response authentication is used.

By way of comparison, "rlogin" does work properly on either client or
server.  Here "server" means a nis+ server that is in the admin
nisplus group.

The relevant auth entries from pam.conf

rlogin  auth sufficient
rlogin  auth requisite
rlogin  auth required 
rlogin  auth required 

other   auth requisite
other   auth required 
other   auth required 

Since there was nothing relevant in ".rhosts" in my tests with
rlogin, I would have thought both should behave the same.


Test procedure:

  First login to the server, and use:  keylogout
   (this de-registers credentials)

  Next try to login with ssh
       try to login with rlogin

  After each login, check whether credentials are registered with
  keyserv .  The simplest check is to try accessing a secure-nfs
  mounted file system.

Site Timeline