Applies to: All versions of DirectControl on all AIX

Question:

On AIX, to allow a set of users to log in with their local accounts in case DirectControl agent disconnects, pam.allow.override setting in centrifydc.conf is configured. However, when user tries to login to the local account with username: user@localhost, ssh seems to be hanged and then timed out. The same configuration works with Linux.

Is this possible to make use of the pam.allow.override setting and log in local account with @localhost syntax on AIX?

Answer:

Unfortunately using username with suffix @localhost on AIX is not supported.

The problem lies within the LAMGetEntry call (which is for getting user information and extended attributes), which is similar to NSS call in Linux. (Note: AIX has no NSS) When sshd processes Deny/Allow directives, it will try to retrieve user information through LAMGetEntry().

However, this call does not support @localhost syntax - which it does not allow username to be renamed to an username without the @localhost suffix. (i.e. cannot stripe the @localhost suffix) The user’s LAMGetEntry call will then be ended up with a NOTFOUND result and the login attempt will be failed as we are not able to find the user or authenticate the user.