Originally posted by: sprynter

We're using NIS with AIX 5.3 (on a p570).

I've recently installed sshd (from IBM site, OpenSSH 4.3.0.5300) but I can't fix an issue with non-root NIS users.

Root can connect and login, but any NIS users are authenticated, then immediately disconnected.

The error reported by sshd (in syslog):

code
auth|security:crit sshd 155880: fatal: permanently_set_uid: was able to restore old (e)gid
[/code]

I've tried enabling/disabling privilege separation (in sshd_config), but no help.
Googling for sshd issues came up empty (some close hits, but not exactly).

We have many other platforms successfully working with ssh and NIS.

Anyone have any ideas?

Originally posted by: SystemAdmin

Is root your only non-NIS user? If not can other non_NIS users connect with ssh? Do you have local console access to the box? If so, can NIS users logon locally? What I'm getting at here is to determine whether you have an SSH problem, an NIS problem or both.

As I understand it the error message you're seeing happens when the ssh daemon, which runs as root, is trying and failing to set the effective group id of your login shell. Are you sure your NIS scheme is set up properly? If you logon locally with a non-root account can you su to another account?

HTH

Jim Lane

Originally posted by: sprynter

Jim,
To answer you questions:

• root is not the only non-NIS user.
• other non-NIS users can connect successfully with ssh.
• NIS users can telnet successfully and login via console.
• a non-root account can su to both other non-root accounts and NIS accounts.

So I'd thought NIS was working properly. The combination of NIS and sshd does not.

sprynter

Originally posted by: SystemAdmin

One thing that works for LDAP users is to add this line to the sshd_config file:
UsePAM yes

Not sure that will matter, but it's worth a try. You have to stop and restart sshd after you do this.

Originally posted by: sprynter

I've just tried
UsePAM = yes
in sshd_config

Same combination of errors. root and non-NIS users can ssh. NIS users get the

code
fatal: permanently_set_uid: was able to restore old [e]gid
[/code]

error in syslog.

Appears not to be an authentication issue.

Originally posted by: sprynter

I stumbled on the problem in /etc/group:

codestaff:!:1:ipsec,sshd[/code]

The groups are NISed from id 10 upwards on all our boxes.
AIX was the only OS in our environment (mostly Linux, Solaris, HP-UX) that (by default) has the staff group id under 10.

99% of our NIS accounts have staff as their primary group.

Obviously this was interfering with assigning an effective gid via sshd. Commenting out the offending line (we don't need a local staff account on the server) solved the problem.

I'm kicking myself for not following the obvious path from the error message (gid -> /etc/group vs NIS group).

Thanks all, anyway.

sprynter

Originally posted by: Govind-Paciolan

I am struggling with a similar problem.

I am able to ssh normally to an AIX server, however when I share the ssh keys, I am immediately logged out.

The /var/adm/messages have a similar error message as shared by previous posts: fatal: permanently_set_uid: was able to restore old (e)gid.

My user accounts are authenticated via LDAP.

 

Please help!

Govindl