--- Vincent Danen <[EMAIL PROTECTED]> wrote:
> On Mon Jan 27, 2003 at 11:40:11AM -0700, Vincent
> Danen wrote:
>
> [...]
> > Let me do some digging... this is starting to ring
> some bells. I bet
> > if you do an strace on ssh (as a user in the LDAP
> database), you'll see
> > it accessing /etc/shadow directly, and *not* using
> getent to retrieve
> > that info. If that's the case, then there is very
> little we can do
> > about it as it would be a design "flaw" in ssh
> directly. It could very
> > well be that openssh doesn't use NSS to obtain
> that information,
> > meaning it will never call getent to do the
> lookup.
> >
> > Ie. to openssh, if user isn't in the physical
> /etc/shadow file, then
> > user doesn't exist to it.
> >
> > I'll do a little snooping and see what I can come
> up with. This may be
> > one reason I'm not personally using LDAP for
> authentication... this is
> > sounding quite familiar.
>
> Ok... if you do an strace on ssh, and then search
> the output, you'll
> see something like this:
>
> open("/etc/passwd", O_RDONLY) = 3
> ... (much repeated, my strace shows 6 similar calls)
>
> So ssh, the client, is looking at the file directly,
> and not using NSS
> or getent or any other similar mechanism that would
> allow it to
> retrieve that data from LDAP.
>
> This is a limitation of openssh, and not something
> that we can fix...
> you'll have to bring this up with the openssh
> developers.
Strange, how does one reproduce the problem exactly?
I have a user that's only in LDAP and I can ssh to
them just fine.
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
