OpenSSH + AIX + WINBIND + AD auth - Aix

This is a discussion on OpenSSH + AIX + WINBIND + AD auth - Aix ; I've got a P55 with AIX 5.3 running with winbind successfully bound to our Active Directory (Windows 2003 Server) environment, and the AIX box is successfully processing authentications through AD when users log in via "telnet" (yuck). I've installed OpenSSH ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: OpenSSH + AIX + WINBIND + AD auth

  1. OpenSSH + AIX + WINBIND + AD auth

    I've got a P55 with AIX 5.3 running with winbind successfully bound to
    our Active Directory (Windows 2003 Server) environment, and the AIX
    box is successfully processing authentications through AD when users
    log in via "telnet" (yuck).

    I've installed OpenSSH and that is successfully processing logins for
    local users, but when I attempt to log in as an AD user, it
    immediately logs the user out:
    ~]# ssh aix53sys -l myuser
    myuser@aix53sys's password:
    Connection to aix53sys closed by remote host.
    Connection to aix53sys closed.

    When I run /usr/sbin/sshd -ddd and I try to ssh in using an AD user, I
    get (trimmed):
    debug3: AIX/setauthdb set registry 'WINBIND'
    debug3: aix_restoreauthdb: restoring old registry ''
    debug1: monitor_child_preauth: myuser has been authenticated by
    privileged process
    debug3: mm_get_keystate: Waiting for new keys
    debug3: mm_request_receive_expect entering: type 24
    debug3: mm_request_receive entering
    debug3: mm_newkeys_from_blob: 20080108(118)
    debug2: mac_setup: found hmac-md5
    debug3: mm_get_keystate: Waiting for second key
    debug3: mm_newkeys_from_blob: 20080108(118)
    debug2: mac_setup: found hmac-md5
    debug3: mm_get_keystate: Getting compression state
    debug3: mm_get_keystate: Getting Network I/O buffers
    debug3: mm_share_sync: Share sync
    debug3: mm_share_sync: Share sync end
    debug1: audit event euid 0 user myuser event 2 (SSH_authsuccess)
    debug2: User child is on pid 381052
    debug3: mm_request_receive entering
    debug3: AIX/setauthdb set registry 'WINBIND'
    debug1: do_cleanup
    debug1: audit event euid 0 user myuser event 12 (SSH_connabndn)

    And I am seeing logged via syslog (which I hadn't noticed until I
    started composing this message.. it has some interesting errors - I re-
    generated the keys to get the same result here, though.. I suspect
    this is a red herring):
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3:
    recv_rexec_state: entering fd = 5
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3:
    ssh_msg_recv entering
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3:
    recv_rexec_state: done
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug2:
    parse_server_config: config rexec len 163
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3:
    rexec:21 setting Protocol 2
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3:
    rexec:110 setting Subsystem sftp\t/usr/sbin/sftp-server
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug1:
    sshd version OpenSSH_4.7p1
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3: Not
    a RSA1 key file /etc/ssh/ssh_host_rsa_key.
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug1:
    read PEM private key done: type RSA
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug1:
    private host key: #0 type 1 RSA
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3: Not
    a RSA1 key file /etc/ssh/ssh_host_dsa_key.
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug1:
    read PEM private key done: type DSA
    Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug1:
    private host key: #1 type 2 DSA

    I'm not sure what else to check or why it is failing on the AD users
    only.. telnet and other clear protocols work (rlogin, rsh), but,
    as expected, we can't use those in our production environment...

    -Rich

  2. Re: OpenSSH + AIX + WINBIND + AD auth

    On Sep 5, 12:56 pm, wesmoc wrote:
    > I've got a P55 with AIX 5.3 running with winbind successfully bound to
    > our Active Directory (Windows 2003 Server) environment, and the AIX
    > box is successfully processing authentications through AD when users
    > log in via "telnet" (yuck).
    >
    > I've installed OpenSSH and that is successfully processing logins for
    > local users, but when I attempt to log in as an AD user, it
    > immediately logs the user out:
    > ~]# ssh aix53sys -l myuser
    > myuser@aix53sys's password:
    > Connection to aix53sys closed by remote host.
    > Connection to aix53sys closed.
    >
    > When I run /usr/sbin/sshd -ddd and I try to ssh in using an AD user, I
    > get (trimmed):
    > debug3: AIX/setauthdb set registry 'WINBIND'
    > debug3: aix_restoreauthdb: restoring old registry ''
    > debug1: monitor_child_preauth: myuser has been authenticated by
    > privileged process
    > debug3: mm_get_keystate: Waiting for new keys
    > debug3: mm_request_receive_expect entering: type 24
    > debug3: mm_request_receive entering
    > debug3: mm_newkeys_from_blob: 20080108(118)
    > debug2: mac_setup: found hmac-md5
    > debug3: mm_get_keystate: Waiting for second key
    > debug3: mm_newkeys_from_blob: 20080108(118)
    > debug2: mac_setup: found hmac-md5
    > debug3: mm_get_keystate: Getting compression state
    > debug3: mm_get_keystate: Getting Network I/O buffers
    > debug3: mm_share_sync: Share sync
    > debug3: mm_share_sync: Share sync end
    > debug1: audit event euid 0 user myuser event 2 (SSH_authsuccess)
    > debug2: User child is on pid 381052
    > debug3: mm_request_receive entering
    > debug3: AIX/setauthdb set registry 'WINBIND'
    > debug1: do_cleanup
    > debug1: audit event euid 0 user myuser event 12 (SSH_connabndn)
    >
    > And I am seeing logged via syslog (which I hadn't noticed until I
    > started composing this message.. it has some interesting errors - I re-
    > generated the keys to get the same result here, though.. I suspect
    > this is a red herring):
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3:
    > recv_rexec_state: entering fd = 5
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3:
    > ssh_msg_recv entering
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3:
    > recv_rexec_state: done
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug2:
    > parse_server_config: config rexec len 163
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3:
    > rexec:21 setting Protocol 2
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3:
    > rexec:110 setting Subsystem sftp\t/usr/sbin/sftp-server
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug1:
    > sshd version OpenSSH_4.7p1
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3: Not
    > a RSA1 key file /etc/ssh/ssh_host_rsa_key.
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug1:
    > read PEM private key done: type RSA
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug1:
    > private host key: #0 type 1 RSA
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug3: Not
    > a RSA1 key file /etc/ssh/ssh_host_dsa_key.
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug1:
    > read PEM private key done: type DSA
    > Sep 4 20:44:46 aix53sys auth|security:debug sshd[381062]: debug1:
    > private host key: #1 type 2 DSA
    >
    > I'm not sure what else to check or why it is failing on the AD users
    > only.. telnet and other clear protocols work (rlogin, rsh), but,
    > as expected, we can't use those in our production environment...
    >
    > -Rich


    you created a key ? I wouldn't be trying a public key authentication
    between windows and UNIX, kind of defeats the purpose.

+ Reply to Thread