I'm trying to get to the bottom of an issue with key authentication on AIX and I'm not sure I believe IBM's answer so I thought I'd post here to see what answer I'd get from the SSH side. We have three different methods of authentication - local, VAS (AD), NIS. On our Linux and Solaris servers it's very simple to set the authentication order with nsswitch.conf and SSH follows that order on those systems without any issues - even with key-authentication. On AIX however if we use key-authentication it always hits NIS before VAS. IBM is telling us that it is because that's how SSH works and we keep trying to tell them that it doesn't work like that anywhere else - only on AIX. It's my understanding that SHH will authenticate in the order established by the OS and not vice-versa - is this thinking correct? We have workarounds for the issue, but we'd like to have IBM own up to what we perceive as a flaw in their authentication model instead of blaming it on how SSH works. Here is the latest from their developers: "Discussed about the SSH design. As we are copying the public key in the /home/(user). So in this case authentication is done by the SSH Server. But in case of password authenticationNIS server or VAS server is doing the authentication. Therefore in the password case it is able to differentiate between NIS and VAS user. But in case of Public Key Authentication it is first taking the NIS user and then server is doing the authentication. So it is not able to differentiate between the two users in case of PUBLIC KEY AUTHENTICATION." My belief is even with key-authentication SSH still has to have the user account validated by the OS and that the order in which this validation will occur is determined by the OS not the SSH server. At least this is what happens on our other operating systems - we can switch the authentication order and it will authenticate to which ever option is first. Thanks, Frank LaMon ----------------------------------------- This email transmission and any accompanying attachments may contain CSX privileged and confidential information intended only for the use of the intended addressee. Any dissemination, distribution, copying or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it and notify sender at the above CSX email address. Sender and CSX accept no liability for any damage caused directly or indirectly by receipt of this email.
