IBM Support

AIX Security: How to disable KerberosAuthentication for select local users

Question & Answer


Question

Two users are defined locally and on Active Directory.
userA
userB

The users enter local passwords, but Active Directory (AD) registers failed attempts, and locks the IDs after 5 failed attempts.

Doesn't the following SYSTEM setting mean that AIX authenticates the user locally (compat), and checks the AD and Kerberos only if the local authentication fails? Why does AIX contact AD if the local password is correct?

#lssec -f /etc/security/user -s default -a SYSTEM
default SYSTEM="compat or KRB5LDAP"

Cause

The following attributes were enabled in /etc/ssh/sshd_config:

GSSAPIAuthentication yes
KerberosAuthentication yes
GSSAPICleanupCredentials yes

Before a user authenticates, login must determine if the user is *allowed* to access the system. The user's SYSTEM attribute determines the administrative domains (local, LDAP...etc) to examine for permission. So for any user where SYSTEM or registry includes LDAP, the AIX login checks with LDAP to verify permissions to log in before authentication routines are called.
  • Some examples of login restrictions include:
    • The user account is locked, or expired
    • The system maxlogins has been exceeded
    • The user's loginretries has been exceeded
    • The user does not have access to the terminal, or the terminal is locked
The local /etc/security/user settings can be changed to SYSTEM=compat, so LDAP is not checked for login restrictions. However, even if the user is not restricted locally, this sshd server is configured to use Kerberos authentication for ssh logins, regardless of the SYSTEM setting.

Answer

You can prevent the KerberosAuthentication for specific users.

To exclude userA and userB from Kerberos authentication, add a Match stanza to/etc/security/sshd_config.
 
*** Important: *** 
--> Match blocks must be at the end of the file after all the global settings.

Example: (match by users)
Match User userA,userB
GSSAPIAuthentication no
KerberosAuthentication no

Or, you can create a "local only" group.

For example, create a group named 'localgroup':
# mkgroup users=userA,userB localonly

Then, add a Match block for the group:

Match Group localonly
GSSAPIAuthentication no
KerberosAuthentication no

Stop and restart the sshd server.
# stopsrc -s sshd
# startsrc -s sshd


SUPPORT

If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

 - For more information, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For more information, see: Working with IBM AIX Support: Collecting snap data

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzkAAA","label":"Security-\u003EUser\/Group\/Password Management-\u003EKERBEROS\/NAS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Document Information

More support for:
AIX

Component:
Security->User/Group/Password Management->KERBEROS/NAS

Software version:
All Versions

Operating system(s):
AIX

Document number:
6696041

Modified date:
22 September 2022

UID

ibm16696041

Manage My Notification Subscriptions

Page Feedback