The problem is to login with non-root users. This is the error:
[root@srv1 root]# ssh -l roberto srv2.domain.net
roberto@srv2.domain.net's password:
Last login: Tue Oct 21 09:39:35 DFT 2008 on /dev/pts/1 from 192.168.2.25
*******************************************************************************
* *
* *
* Welcome to AIX Version 5.3! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
getuserattr failed
Connection to srv2.domain.net closed.
With root I can normally login. What can be the problem?
On srv2 ssh version is:
bash-2.05a# ssh -V
OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006
untamed:
The problem is to login with non-root users. This is the error:
[...]
getuserattr failed
[...]
With root I can normally login. What can be the problem?
The getuserattr subroutine accesses the following files. Use root to check whether all permissions are correct. Sample from a 5.3 AIX server:
-rw-r--r-- 1 root security 699 Oct 21 17:13 /etc/passwd
-rw-r--r-- 1 root security 415 Oct 21 17:12 /etc/group
-rw-r--r-- 1 root system 10546 Oct 21 17:12 /etc/security/user
-rw-r----- 1 root security 1346 Apr 01 2008 /etc/security/limits
-rw-r----- 1 root security 531 Oct 09 17:46 /etc/security/group
-rw-r----- 1 root security 60 May 07 2007 /etc/security/environ
bash-2.05a# ls -l /etc/passwd /etc/group /etc/security/user /etc/security/limits /etc/security/group /etc/security/environ
-rw-r--r-- 1 root security 735 Oct 21 09:37 /etc/group
-rw-r--r-- 1 root security 1838 Oct 21 09:37 /etc/passwd
-rw-r----- 1 root security 60 Jun 21 2004 /etc/security/environ
-rw-r----- 1 root security 649 Apr 23 2008 /etc/security/group
-rw-r----- 1 root security 1462 Apr 05 2007 /etc/security/limits
-rw-r--r-- 1 root system 10943 Oct 21 09:37 /etc/security/user
permissions are the same...
How did you install the SSH software (bff package via installp or tarball) ?
How did you start the sshd (directly or via startsrc)?
bakunin
bash-2.05a# lslpp -l openss*
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
openssh.base.client 4.5.0.5302 COMMITTED Open Secure Shell Commands
openssh.base.server 4.5.0.5302 COMMITTED Open Secure Shell Server
openssh.license 4.5.0.5302 COMMITTED Open Secure Shell License
openssh.man.en_US 4.5.0.5302 COMMITTED Open Secure Shell
Documentation - U.S. English
openssh.msg.en_US 4.5.0.5302 COMMITTED Open Secure Shell Messages -
U.S. English
openssl.base 0.9.8.410 COMMITTED Open Secure Socket Layer
openssl.license 0.9.8.410 COMMITTED Open Secure Socket License
openssl.man.en_US 0.9.8.410 COMMITTED Open Secure Socket Layer
Path: /etc/objrepos
openssh.base.client 4.5.0.5302 COMMITTED Open Secure Shell Commands
openssh.base.server 4.5.0.5302 COMMITTED Open Secure Shell Server
openssl.base 0.9.8.410 COMMITTED Open Secure Socket Layer
I think the service starts via startsrc as is defined into /etc/services. How can I verify that?
/etc/services is something completely different. You can check by issuing
lssrc -a | grep ssh
If you get nothing the sshd was probably started by other (non-AIX) means and should be corrected. If you get a line similar to this:
bakunin@server# lssrc -a | grep ssh
sshd ssh 249928 active
The subserver has been started by SRC (system resource controller) means as it should be.
I hope this helps.
bakunin
bash-2.05a# lssrc -a | grep ssh
sshd ssh 344234 active
wempy
October 21, 2008, 10:05am
8
Is the user account you are trying a newly created account?
maybe
usermod -x "{administrativeLockApplied 0}" <username>
to unlock it?
untamed
October 21, 2008, 10:37am
9
I have no "-x" option with usermod...
bash-2.05a# usermod -x "{administrativeLockApplied 0}" roberto
Usage: usermod [ -u uid ] [ -g group ] [ -G group1,group2 ... ] [-d dir [ -m ] ] [ -s shell ] [ -c comment ] [ -l new_name ] [ -e expire ] [ -r role1,role2 ... ] login
wempy
October 21, 2008, 11:25am
10
most strange, I thought AIX had POSIX compliant utilities.
Had a google around and found a lot of complaints regarding this exact same problem, it seems there is maybe an imbalance between the os level (I think AIX calls it ML) and the version of openssh.
Another solution was to ensure that the user had a primary group set (I think there is an AIX command for checking users, usrck?? or look in smitty).
untamed
October 21, 2008, 11:34am
11
I tried with
bash-2.05a# usrck -n roberto
bash-2.05a#
so I think there is no problem with my user ("-n" reports errors but does not fix them)...
Has this ssh login for normal users worked before? Did anything change in the server e.g. oslevel, OpenSSH and/or OpenSSL?
untamed
October 22, 2008, 4:22am
13
This ssh login hasn't worked before, and I can't understand what is the problem...
Can you update OpenSSH and OpenSSL to the current versions? You can find the official IBM OpenSSH packages here:
SourceForge.net: OpenSSH on AIX
and OpenSSL here (free registration required):
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp
untamed
October 22, 2008, 9:39am
15
I solved by upgrading both packages, as suggested by shockneck.
Thank you very much
Maybe you should try a later version of OpenSSH for AIX. See Get the latest version of OpenSSH for AIX
That article points you to download of a 4.7 version from SourceForge.net: OpenSSH on AIX
There's a link there also to the compatible version of OpenSSL