-
Title
Cannot remotely login, with Authentication Services enabled user on AIX, using telnet, rsh, ssh, etc. -
Description
Cannot remotely login, with VAS users on AIX, using telnet, rsh, ssh, etc. Can login using the console or root.
When running sshd in debug mode, on a non-standard port (# sshd -p 222 -ddd), the following error message can be seen when connecting using an ssh client (# ssh -p 222 jdoe@127.0.0.1):
debug3: AIX/loginrestrictions returned -1 msg Remote logins are not allowed for this account.
Login restricted for jdoe: Remote logins are not allowed for this account. -
Cause
The loginrestrictions subroutine (http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.basetechref/doc/basetrf1/loginrestrictionsx.htm) lists various conditions which result in an unsuccessful authentication.
As seen in the ssh debug output, the loginrestriction subroutine is denying remote users access to the server:
debug3: AIX/loginrestrictions returned -1 msg Remote logins are not allowed for this account.
Login restricted for jdoe: Remote logins are not allowed for this account.
This is due to the loginrestriction condition being set in the /etc/security/user file, for the "default" users stanza:
rlogin = false
The Mode parameter is set to the S_RLOGIN value and the user is not allowed to log in from the network as defined by the rlogin user attribute.
The local root account can remotely login, as they have a separate user stanzas in the /etc/security/user file, which does not include the rlogin restriction.
Here is a summary of the rlogin attribute from the /etc/security/user file:
Defines whether the user account can be accessed by remote
logins. Commands rlogin and telnet support this attribute.
Possible values: true or false. -
Resolution
Change the loginrestriction condition, in the "default" stanza of the /etc/security/user file, to rlogin = true:
rlogin = true