jeffpc did start one, but it still needs much work

When issue an NMI over ipmi.... do we get a % of dump in the output? Last thing I saw in the output was dumping to /dev/zvol/dsk/zones/dump, offset 65536, content: kernel

I think I recall seeing a progress / percentage, think it might be hung to the point that it cant dump*

Its been 2 hours *

yes, there is normally progress.

I don't know when you should consider giving up, though

richlowe: Thats what I thought, I've punted the ball

does anyone have an example /etc/pam.conf that has sshd-pubkey example? I *suspect* my lack of any entries with that is the reason ssh is disconnecting when I try using a key.

"Access denied for user ansible by PAM account configuration [preauth]" is all I'm getting when running sshd -d on the server.

there is an undocumented pam debug facility that might tell you more what's going on

apparently my pubkey auth is not pam-y

[illumos-gate] 17760 qede: dereferencing freed memory -- Toomas Soome <tsoome⊙mc>

nomad: if you grep 'PAM_DEBUG' you'll find the code for the facility jbk means

it might even be semi-documented in there, libpam/pam_framework.c

yeah... that alone made me excited about opensolaris, just because knowing about that allowed me to solve some problems at the time :)

(like being able to supply a password to change via stdin, because there was some bug at the time that the DBAs using expect kept triggering which would erase /etc/shadow)

... which of course they setup to run across the entire production environment :P

I'm running sshd -ddd and getting things like "debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Permission denied)" and "Failed publickey for ansible from [redacted] port 62192 ssh2: RSA SHA256:[redacted]" but that's after it already said it had accepted that key.

ok, so the account managment bit of pam is denying access

(entries with 'account' in the second column)

PAM so flexible and yet so [redacted]

: || lvd@hvfs2 ansible [643] ; grep account /etc/pam.conf

cron account required pam_unix_account.so.1

cups account required pam_unix_account.so.1

gdm-autologin account sufficient pam_allow.so.1

# Used when service name is not explicitly mentioned for account management

other account requisite pam_roles.so.1

other account required pam_unix_account.so.1

is the account a role?

I have a stanza for 'sshd-kbdint' that only has auth. I tried duplicating that for sshd-pubkey but no change.

the account is, near as I can tell, a regular account. It was created by useradd.

IIRC, that's fine -- if it doesn't find the service name for that, it'll fall back to other

does it have a password set? or is it *LK* in /etc/shadow?

if you want something akin to ssh-only, you want NP (passwd -N), not *LK* (passwd -l)

*LK*

try passwd -N user and reconnect

*LK* means locked as in 'no access as all'

that fixed it.

thanks!

Now to try to figure out how to tell ansible that.

NP means 'you cannot authenticate using a password -- so some alternate means must be used to login (e.g. ssh key)

which is distinct from an empty password (no entry)

it trips people up sometimes

I wonder if ansible.builtin.user knows about that.

ah, I can just say 'password: "NP" and it does it... with a complaint.

... and documented.

thanks for the fix!