Applies to: Direct Audit Suite 2015.1 and 2016 on some AIX 7.1(TL0-SP0)
Problem:
Local users are unable to login via ssh on some AIX 7.1 (TL0-SP0) hosts when stock ssh is installed and Direct Audit is enabled.
Example:
#ssh myaixmachine -l localuser localuser@myaixmachine's password: Connection to myaixmachine closed by remote host. Connection to myaixmachine closed.
In the Centrify sshd debug trace messages such as these appear:
debug3: AIX SYSTEM attribute CENTRIFYDC OR (CENTRIFYDC[NOTFOUND] AND ((CENTRIFYDALOCAL AND (compat)) OR (CENTRIFYDALOCAL[NOTFOUND] AND (compat))))
debug3: do_getpwnam_aix: unable to getauthdb as no setauthdb called previously, ignoring ......
debug2: aix_getauthmethods: Return auth methods 'CENTRIFYDC' for getpwuid/getpwnam
debug2: aix_getauthmethods: Return auth methods 'CENTRIFYDALOCAL' for getpwuid/getpwnam
debug3: do_getpwnam_aix: AIX/setauthdb set registry 'CENTRIFYDC'
debug3: do_getpwnam_aix: AIX/found user locutus with registry 'CENTRIFYDC'
debug3: aix_registry: AIX/getuserattr get user registry 'CENTRIFYDC'
debug3: AIX/setauthdb set registry 'CENTRIFYDC'
In the stock sshd debug trace message such as these appear:
debug3: AIX SYSTEM attribute CENTRIFYDC OR (CENTRIFYDC[NOTFOUND] AND ((CENTRIFYDALOCAL AND (compat)) OR (CENTRIFYDALOCAL[NOTFOUND] AND (compat))))
debug3: AIX/setauthdb set registry 'CENTRIFYDALOCAL' Centrify modifies sshd to run through the auth methods and correctly picked CENTRIFYDC. Note CENTRIFYDALOCAL does not perform authentication. Thus, the authentication fails.
Cause:
The root cause is that the stock sshd does not set authdb correctly.
Resolution:
This is a known issue. AIX O/S (TL0-SP0) sshd does not work with Centrify. The recommendation from Centrify is to use Centrify sshd.
Notes:
1. This issue does not exist for Active Directory users and “root”.
2. This issue does not exist when Direct Audit auditing is disabled
3. This issue does not exist on AIX 6.1(TL2-SP1) and AIX 7.1(TL3-SP3)