As I do a ssh <nis_user>@server1 from server2, ssh prompts for certificates (as expected the first time), then it prompts for the users password, as soon as I enter the password, I get a Connection to server1 closed by remote host, and connection to server1 closed. and I disconnect back to the originating host.
Both hosts are AIX 6.1 TL7 SP10 servers.
OpenSSH 6.0.0.6102 on both servers.
I can telnet to server1 and enter nis_user and password and login just fine, but, when I try to use the @server1 login method, I get disconnected. The problem follows the nis_user. I created local /etc/passwd accounts and they work fine. My NIS user account works fine between the 2 systems.
Seems to follow only the one specific user and between these 2 servers. Other AIX 6.1 and 7.1 servers have no issue with the same user. No special settings in ssh_config or sshd_config on either host.
Sep 20 15:35:02 server1 auth|security:info sshd[10354864]: Accepted password for nis_user from 10.41.80.8 port 41888 ssh2
Sep 20 15:35:02 server1 auth|security:crit sshd[13959322]: fatal: permanently_set_uid: was able to restore old [e]gid
dang, had totally forgotten about auth.log. Thanks
did a quick look through google and nothing in /etc/group and no local user account for nis_user. There was a mention of a getpwid patch but if it was OS, then why does my other 3 AIX boxes work without issue. Same nis server for all 5 boxes.
server1:>oslevel -s
6100-07-10-1415
---------- Post updated at 03:47 PM ---------- Previous update was at 02:52 PM ----------
Fixed the problem.
The issue is there is a bug in openssh where if there is a /etc/group --> GID_NAME and if the LDAP or NIS user has a same GID_NAME, but different value you will get this inability to login via ssh.
the corrective action is to make the /etc/group --> GID_NAME value the same as the naming service value, or delete the local GID_NAME.
Thanks for sharing the solution!
I wonder if there is a bug in the libc.
The gid -> gname order should be identical with the gname -> gid order, regardless which method (+: entry or nsswitch.conf) is used.