Created attachment 3144 [details] ldapuser_log Hello , Hope you are doing fine. I am using Openssh7.5_p1 on AIX Environment.I have installed IBM LDAP filesets and tried to test SSH functionality with LDAP user. I have created ldapuser and tried to login through that user using public key authentication. After logging in , I have seen that its environment variable AUTHSTATE is showing compat instead of LDAP. In case of password based authentication , its showing LDAP which is the right behavior. Can you please look into such issue. I am sending logs too. Please let me know if you need some extra information. Thanks & Regards Mayank Sharma
The client side logs don't help here, instead what you are after might be in the server-side logs (eg "/path/to/sshd -ddde -p 2022" to run it on port 2022). Looking at the code, it looks like sshd never sets AUTHSTATE, although it will copy it into the shell child. I think it'll be set by the authenticate() call which does password auth, but that is does not get called for publickey auth. Given that it is not actually authenticating via LDAP what do you expect it to do?
Hi Darren, Please find more details below - 1. I have made a AIX-LDAP server and client setup 2. Now I created a LDAP user using the below command # mkuser -R LDAP ldapuser # passwd -R LDAP ldapuser 3. Now i tried password based authentication for this user and we get the following environment variables set for this user. $ ssh localhost ldapuser@localhost's password: Last unsuccessful login: Wed May 2 03:16:40 CDT 2018 on ssh from 127.0.0.1 Last login: Wed May 2 03:16:45 CDT 2018 on /dev/pts/3 from 127.0.0.1 . . . $ $ env ... AUTHSTATE=LDAP ... $ 4. Now I did the password less authentication setup using the below commands - # su ldapuser # ssh-keygen # cp /home/ldapuser/.ssh/id_rsa.pub /home/ldapuser/.ssh/authorized_keys 5. And tried to login. $ ssh localhost Last unsuccessful login: Wed May 2 03:16:40 CDT 2018 on ssh from 127.0.0.1 Last login: Wed May 2 03:16:45 CDT 2018 on /dev/pts/3 from 127.0.0.1 . . . $ $ env ... AUTHSTATE=compat ... $ As we can see in step 3, we have AUTHSTATE set to LDAP whereas in step 5 , AUTHSTATE is set to compat. The expectation is that the AUTHSTATE should display LDAP irrespective of authentication methods(password-less or password-based). Please let me know if you need additional information. I will further attach sshd logs.
Created attachment 3146 [details] sshd password-based authentication logs
Created attachment 3147 [details] sshd password-less authentication logs
Comment on attachment 3147 [details] sshd password-less authentication logs >debug3: AIX/setauthdb set registry 'LDAP' >debug1: AIX/loginsuccess: [...] >debug3: aix_restoreauthdb: restoring old registry '' [...] > AUTHSTATE=compat It's calling setauthdb before all of the auth related functions and AUTHSTATE doesn't get set, it certainly looks like it's the authenticate() call that's setting it. > The expectation is that the AUTHSTATE should display LDAP irrespective of authentication methods(password-less or password-based). Why would you expect that? You're not authenticating via LDAP in that case.