The /etc/pam.d/sshd file does not allow NIS logins. NIS users can login through trusted certificates, but password auth always fails. Here is the contents of the distributed pam.d/sshd file: auth required pam_stack.so service=system-auth auth required pam_shells.so auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth I got nis logins working though openssh by changing /etc/pam.d/sshd to this: auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth I however have no idea why it worked, or if I did something bad, since I have no knowledge of pam configuration. Reproducible: Always Steps to Reproduce: Portage 2.0.48-r5 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) ================================================================= System uname: 2.4.21_rc8-gss i686 AMD Athlon(TM) XP 2000+ GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/config /usr/kde/3/share/config /var/bind /usr/X11R6/lib/X11/xkb" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="" USE="x86 apm arts avi crypt cups encode foomaticdb gif imlib jpeg libg++ mad mikmod mpeg ncurses nls oggvorbis png quicktime sdl spell xml2 xmms xv zlib berkdb slang readline svga gpm tcpd pam libwww ssl perl python motif opengl mcal cjk imap -gtk -qt -truetype -pdflib -java -gdbm -X -gnome -kde -alsa -oss sse mmx 3dnow mysql" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -mfpmath=sse -pipe -O2 -fomit-frame-pointer" CXXFLAGS="-O2 -mcpu=i686 -pipe" ACCEPT_KEYWORDS="x86" MAKEOPTS="-j2" AUTOCLEAN="yes" SYNC="rsync://rsync.gentoo.org/gentoo-portage" FEATURES="sandbox ccache"
This is an old version of Openssh with known security vulnerabilities.
Ryan: Does 3.7.1_p2 have the same problems with nis?
3.7.1_p2 has a new problem for me. Seems that it's a feature in the latest version of openssh. I guess in order for PAM to work for 3.7.X, you have to use Keyboard Interactive mode. Almost all clients support this, but many of them don't seem to do it be default. Getting all my users to make these changes to their ssh clients will be a pain and take much time... Reference: http://marc.theaimsgroup.com/?l=secure-shell&m=106572058304139&w=2 Kinda sucks that they just threw that out there... So, I'll find out someday and when I do I'll update this bug.
Not an issue in 3.7.1_p2 However additional work is still required to get this to work in 3.7.1_p2. Along with my previous comment, PAM is disabled by default now. You have to turn it on with "UsePAM yes" in the sshd_config file.
Currently, all that's needed is that "UsePAM yes" has to be turned on. The question is really whether this is a good default or not. I think it is, but I didn't file the bug. Can we close this bug?
Sorry for any misunderstanding, having to add UsePAM yes is not a problem, I was just adding aditional information for in case someone happened to search on nis problems with ssh. Since no one should be using 3.6.1_p2, I see no reason why this bug shouldn't be closed.
Closing.
