SSH login problem

untamed · October 21, 2008, 6:54am

The problem is to login with non-root users. This is the error:

[root@srv1 root]# ssh -l roberto srv2.domain.net
roberto@srv2.domain.net's password:
Last login: Tue Oct 21 09:39:35 DFT 2008 on /dev/pts/1 from 192.168.2.25
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
getuserattr failed
Connection to srv2.domain.net closed.

With root I can normally login. What can be the problem?

On srv2 ssh version is:

bash-2.05a# ssh -V
OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006

shockneck · October 21, 2008, 7:19am

The getuserattr subroutine accesses the following files. Use root to check whether all permissions are correct. Sample from a 5.3 AIX server:

-rw-r--r--    1 root     security        699 Oct 21 17:13 /etc/passwd
-rw-r--r--    1 root     security        415 Oct 21 17:12 /etc/group
-rw-r--r--    1 root     system        10546 Oct 21 17:12 /etc/security/user
-rw-r-----    1 root     security       1346 Apr 01 2008  /etc/security/limits
-rw-r-----    1 root     security        531 Oct 09 17:46 /etc/security/group
-rw-r-----    1 root     security         60 May 07 2007  /etc/security/environ

untamed · October 21, 2008, 8:25am

bash-2.05a# ls -l /etc/passwd /etc/group /etc/security/user /etc/security/limits /etc/security/group /etc/security/environ
-rw-r--r--   1 root     security        735 Oct 21 09:37 /etc/group
-rw-r--r--   1 root     security       1838 Oct 21 09:37 /etc/passwd
-rw-r-----   1 root     security         60 Jun 21 2004  /etc/security/environ
-rw-r-----   1 root     security        649 Apr 23 2008  /etc/security/group
-rw-r-----   1 root     security       1462 Apr 05 2007  /etc/security/limits
-rw-r--r--   1 root     system        10943 Oct 21 09:37 /etc/security/user

permissions are the same...

bakunin · October 21, 2008, 8:42am

How did you install the SSH software (bff package via installp or tarball) ?

How did you start the sshd (directly or via startsrc)?

bakunin

untamed · October 21, 2008, 9:18am

bash-2.05a# lslpp -l openss*
  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  openssh.base.client     4.5.0.5302  COMMITTED  Open Secure Shell Commands
  openssh.base.server     4.5.0.5302  COMMITTED  Open Secure Shell Server
  openssh.license         4.5.0.5302  COMMITTED  Open Secure Shell License
  openssh.man.en_US       4.5.0.5302  COMMITTED  Open Secure Shell
                                                 Documentation - U.S. English
  openssh.msg.en_US       4.5.0.5302  COMMITTED  Open Secure Shell Messages -
                                                 U.S. English
  openssl.base             0.9.8.410  COMMITTED  Open Secure Socket Layer
  openssl.license          0.9.8.410  COMMITTED  Open Secure Socket License
  openssl.man.en_US        0.9.8.410  COMMITTED  Open Secure Socket Layer

Path: /etc/objrepos
  openssh.base.client     4.5.0.5302  COMMITTED  Open Secure Shell Commands
  openssh.base.server     4.5.0.5302  COMMITTED  Open Secure Shell Server
  openssl.base             0.9.8.410  COMMITTED  Open Secure Socket Layer

I think the service starts via startsrc as is defined into /etc/services. How can I verify that?

bakunin · October 21, 2008, 9:24am

/etc/services is something completely different. You can check by issuing

lssrc -a | grep ssh

If you get nothing the sshd was probably started by other (non-AIX) means and should be corrected. If you get a line similar to this:

bakunin@server# lssrc -a | grep ssh
 sshd             ssh              249928       active

The subserver has been started by SRC (system resource controller) means as it should be.

I hope this helps.

bakunin

untamed · October 21, 2008, 9:35am

bash-2.05a# lssrc -a | grep ssh
 sshd             ssh              344234       active

wempy · October 21, 2008, 10:05am

Is the user account you are trying a newly created account?

maybe

usermod -x "{administrativeLockApplied 0}" <username>

to unlock it?

untamed · October 21, 2008, 10:37am

I have no "-x" option with usermod...

bash-2.05a# usermod -x "{administrativeLockApplied 0}" roberto
Usage: usermod [ -u uid ] [ -g group ] [ -G group1,group2 ... ] [-d dir [ -m ] ] [ -s shell ] [ -c comment ] [ -l new_name ] [ -e expire ] [ -r role1,role2 ... ] login

wempy · October 21, 2008, 11:25am

most strange, I thought AIX had POSIX compliant utilities.
Had a google around and found a lot of complaints regarding this exact same problem, it seems there is maybe an imbalance between the os level (I think AIX calls it ML) and the version of openssh.
Another solution was to ensure that the user had a primary group set (I think there is an AIX command for checking users, usrck?? or look in smitty).

untamed · October 21, 2008, 11:34am

I tried with

bash-2.05a# usrck -n roberto
bash-2.05a#

so I think there is no problem with my user ("-n" reports errors but does not fix them)...

shockneck · October 21, 2008, 1:44pm

Has this ssh login for normal users worked before? Did anything change in the server e.g. oslevel, OpenSSH and/or OpenSSL?

untamed · October 22, 2008, 4:22am

This ssh login hasn't worked before, and I can't understand what is the problem...

shockneck · October 22, 2008, 4:38am

Can you update OpenSSH and OpenSSL to the current versions? You can find the official IBM OpenSSH packages here:
SourceForge.net: OpenSSH on AIX
and OpenSSL here (free registration required):
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

untamed · October 22, 2008, 9:39am

I solved by upgrading both packages, as suggested by shockneck.

Thank you very much

aixylinux · January 4, 2009, 2:22pm

Maybe you should try a later version of OpenSSH for AIX. See Get the latest version of OpenSSH for AIX

That article points you to download of a 4.7 version from SourceForge.net: OpenSSH on AIX

There's a link there also to the compatible version of OpenSSL