Greetings;
Yes to both, here are what my config and related system files look like, but
I think that I have tried just about every variation possible, not sure
about the pam.conf though.
Using the scenario below, I am able to sucessfuly login as root from *any*
host to serverA. This is true because the remote host is using a valid key
that is contained witin serverA's authorized_keys file. So what I am looking
to do is to precede netgroups prior to auth by authorized_keys, does this
make any sense?
Thank you Tim and all!
Vadim
LDD Output On My SSHD:
-----------------------------------
[EMAIL PROTECTED]: /tmp=> ldd /usr/local/sbin/sshd
libpam.so.1 => /usr/lib/libpam.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libresolv.so.2 => /usr/lib/libresolv.so.2
librt.so.1 => /usr/lib/librt.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libc.so.1 => /usr/lib/libc.so.1
libcmd.so.1 => /usr/lib/libcmd.so.1
libaio.so.1 => /usr/lib/libaio.so.1
libmp.so.2 => /usr/lib/libmp.so.2
/usr/platform/SUNW,Sun-Blade-1000/lib/libc_psr.so.1
SSHD_CONFIG On serverA:
------------------------------------
HostKey /etc/ossh/ssh_host_key
HostKey /etc/ossh/ssh_host_rsa_key
HostKey /etc/ossh/ssh_host_dsa_key
PermitRootLogin yes
AllowGroups trustedusers ntadmins
AuthorizedKeysFile %h/.ssh/authorized_keys
IgnoreRhosts no
UsePAM yes
PrintMotd no
PidFile /var/run/sshd.pid
Banner /etc/ossh/banner
Subsystem sftp /usr/libexec/sftp-server
My roots .rhosts and .shosts files (They are the same on serverA):
------------------------------------------------------------------------------------------
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Hosts Within The trustedhosts netgroup(verified by doing a ypcat:
------------------------------------------------------------------------------------------
trustedhosts (host1,-,) (host2,-,) (host3,-,)
Hosts Within The nontrustedhosts netgroup:
---------------------------------------------------------
nontrustedhosts (hostx,-,) (hosty,-,) (hostz,-,)
My /etc/pam.conf file, the one thing that I am uncertain of:
----------------------------------------------------------------------------------
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth required pam_unix_auth.so.1
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd account required pam_unix_account.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account required pam_unix_account.so.1
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_projects.so.1
dtlogin account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
ppp account requisite pam_roles.so.1
ppp account required pam_projects.so.1
ppp account required pam_unix_account.so.1
ppp session required pam_unix_session.so.1
passwd auth required pam_passwd_auth.so.1
cron account required pam_unix_account.so.1
Perinent portion of /etc/nsswitch.conf:
-----------------------------------------------------
netgroup: nis # I've tried also file and files nis (files by copying to
local file on serverA)
From: Tim Rice <[EMAIL PROTECTED]>
To: Vadim Pushkin <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: NIS - netgroup
Date: Tue, 25 Apr 2006 14:37:38 -0700 (PDT)
On Tue, 25 Apr 2006, Vadim Pushkin wrote:
> Hello;
>
> Sorry for the crosspost/repost, but I am getting desparate here.
>
> I am having difficulties setting up ssh (ossh4.3p2 - NIS
-Solaris8/Sparc) to
> authenticate and allow ossh access based on NIS netgroup. So, users
and/or
> host should be from a valid netgroup triple, contained within the ossh
> servers .rhosts, .shosts, hosts.equiv and/or shosts.equiv.
>
> I am having alot of trouble getting NIS netgroup to work with my current
> sshd_config, and I've tried just about everything...
>
> My environment is pure NIS, no LDAP, at least not for the next year.
I don't use NIS here, just LDAP.
Did you compile openssh with PAM support?
Do you have "UsePAM yes" in your sshd_config?
>
> Again, many thanks in advance,
>
> .vp
--
Tim Rice Multitalents (707) 887-1469
[EMAIL PROTECTED]
