2nd SSH doesn't work with AD

jess_t03 · November 8, 2012, 4:39am

Recently I decided to intall second daemon of SSH for Winbind users.
I mean I have configuration AIX + Samba + AD and I can login to the server via SSH with AD accounts to 22 port without any problems.
But now I have second installation of OpenSSH and don't understand why I can't do the same with that ?
I compiled it with :
$ ./configure --prefix=/opt/openssh --with-pam --with-kerberos5=/usr/krb5
$ make
$ make install
... and was nothing errors.

My config files on both daemons ssh is equal except Port (22 / 222)

$ cat /etc/ssh/sshd_config | egrep -v "(^#.|^$)"
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
UseLogin yes
PermitUserEnvironment yes
PidFile /var/run/sshd.pid
Subsystem       sftp    /usr/sbin/sftp-server -e -l DEBUG3

On the second new one SSH I can login only with local users, but can't login with Winbind : (

DGPickett · November 12, 2012, 4:24pm

Is 222 defined as a named service in /etc/services or whatever? What's in /etc/pam.d/* files?

BTW, why 2 servers?

jess_t03 · November 15, 2012, 11:10pm

Ok, I added two lines in /etc/services, but nothing changed

[root@wb53tst /]$ cat /etc/services | grep ssh
ssh                     22/tcp          # SSH Remote Login Protocol
ssh                     22/udp          # SSH Remote Login Protocol
ssh                     222/tcp
ssh                     222/udp

About PAM

#
# Authentication
#
dtaction auth   required        pam_aix
dtsession auth  required        pam_aix
dtlogin auth    required        pam_aix
ftp     auth    required        pam_aix
imap    auth    required        pam_aix
login   auth    required        pam_aix
rexec   auth    required        pam_aix
rlogin  auth    sufficient      pam_rhosts_auth
rlogin  auth    required        pam_aix
rsh     auth    required        pam_rhosts_auth
snapp   auth    required        pam_aix
su      auth    sufficient      pam_allowroot
su      auth    required        pam_aix
telnet  auth    required        pam_aix
OTHER   auth    required        pam_prohibit

#
# Account Management
#
dtlogin account required        pam_aix
ftp     account required        pam_aix
login   account required        pam_aix
rexec   account required        pam_aix
rlogin  account required        pam_aix
rsh     account required        pam_aix
su      account sufficient      pam_allowroot
su      account required        pam_aix
telnet  account required        pam_aix
OTHER   account required        pam_prohibit

#
# Password Management
#
dtlogin password  required      pam_aix
login   password  required      pam_aix
passwd  password  required      pam_aix
rlogin  password  required      pam_aix
su      password  required      pam_aix
telnet  password  required      pam_aix
OTHER   password  required      pam_prohibit

#
# Session Management
#
dtlogin session required        pam_aix
ftp     session required        pam_aix
imap    session required        pam_aix
login   session required        pam_aix
rexec   session required        pam_aix
rlogin  session required        pam_aix
rsh     session required        pam_aix
snapp   session required        pam_aix
su      session required        pam_aix
telnet  session required        pam_aix
OTHER   session required        pam_prohibit

DGPickett · November 16, 2012, 11:42am

I think /etc/services needs a one-to-one (per protocol) to work correctly, so you might want to rename this service 'ssh2' or the like.

This fellow made it entirely a different service except for any internal strings in code: tgharold.com: Tech Blog: Setup sshd to run a second instance

PAM setup for ssh involves several files in the pam dir. Did you update them?

jess_t03 · November 18, 2012, 10:44pm

I think you confused.
In AIX is not present /etc/pam.d catalog. I saw it only in Linux systems.
PAM is not native AIX enviroinment.

sahiti · November 20, 2012, 1:11pm

Hi
I am unable to download ssh tried through IBM ID but unable to create an ID. Can any one help I want to work out the commands n check.

DGPickett · November 20, 2012, 2:52pm

Well, the config files tend to move around and change from O/S to O/S, but the basics are still the same. His second ssh worked because it was an entirely different service and executable name, so it was not getting cpnfused with the configuration of the first ssh, just as configuration elements for http or ftp never get confused with ssh.