Re: 5.3 -> 5 : sshd multiple log entries & login_getclass: unknown class 'root'

From: Andrew Konstantinov (andrei_at_kableu.com)
Date: 02/06/05

  • Next message: Andrew Konstantinov: "Re: 5.3 -> 5 : sshd multiple log entries & login_getclass: unknown class 'root'" 
    Date: Sun, 6 Feb 2005 14:22:03 -0800
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>

    On Sun, Feb 06, 2005 at 09:07:38PM +0000, Bjoern A. Zeeb wrote:
    > On Sun, 6 Feb 2005, Andrew Konstantinov wrote:
    >
    > > On Sun, Feb 06, 2005 at 12:29:23PM -0800, Doug White wrote:
    > > > On Sun, 6 Feb 2005, Andrew Konstantinov wrote:
    > > >
    > > > > *Possible* exact reproduction steps:
    > > > > - install RELENG_5
    > > > > - rebuild RELENG_5 with "NO_NIS=true" in /etc/make.conf
    > > > > - restart sshd service
    > > >
    > > > Sorry, no dice. I had to set "PermitRootLogin yes" in
    > > > /etc/ssh/sshd_config but logging in as root with password succeeds with no
    > > > login class warning. Upgraded from a RELENG_5 from yesterday to one about
    > > > 90 minutes old.
    > > >
    > > > What is the contents of /etc/nsswitch.conf? bz is telling me that if you
    > > > still have 'nis' in the lines in nsswitch and you compile with NO_NIS that
    > > > you'll get wierd user lookup errors.
    > > >
    > > > Also what are the contents of /etc/make.conf?
    > >
    > > #--- The nsswitch.conf:
    > > group: compat
    > > group_compat: nis
    > > hosts: files dns
    > > networks: files
    > > passwd: compat
    > > passwd_compat: nis
    > > shells: files
    > > #----------------------
    > >
    > > Hmm, I completely forgot about that one. :( I guess 'nis' should have been
    > > switched to 'files' whenever system is compiled with "NO_NIS=true".
    >
    > it's not documented - sorry, will do that.
    >
    > change it to sth like:
    >
    > group: files
    > hosts: files dns
    > networks: files
    > passwd: files
    > shells: files
    >
    > w/o this change I can see sth like this when doing passwd auth:
    >
    > 'sshd[1995]: NSSWITCH(nss_method_lookup): nis, passwd_compat, endpwent, not found'
    >
    > But I suspect this will not help with your problem.

    Actually, that solves all the problems. Once I switched to your version of
    nsswitch.conf, all the "unknown class" bugs and multiple logging events have
    disappeared.

    > Did you change your login.conf?

    I always used the one that FreeBSD suplies, without any modifications. I even
    copied it from /usr/src/ multiple times and rebuilt the database from it to
    ensure that it's not some sort of filesystem glitch.

    > Could you mail me (private mail please) the library with which you can
    > see the problems?

    libc.so.5 with debug symbols is on its way to bz@

    As a sidenote: I definitely agree that it should be documented. Also, it's my
    personal opinion, but perhaps its better to switch the default nsswitch.conf
    file to the one that doesn't contain "nis" as a lookup mechanism. It's much
    easier to add to the "NIS/YP" section in the handbook couple lines that tell
    the reader to modify /etc/nsswitch.conf to accomodate "NIS/YP" than documenting
    (I can't think of any appropriate section) that whenever a system is built with
    "NO_NIS=true" in the make file, the user should modify the /etc/nsswitch.conf
    to accomodate the change. I realized that it's entirely my fault for not
    looking forward to the impact of "NO_NIS=true", but still, I consider the above
    described approach better.

    Andrew

  • Next message: Andrew Konstantinov: "Re: 5.3 -> 5 : sshd multiple log entries & login_getclass: unknown class 'root'"