07:52:42 jeffpc did start one, but it still needs much work 22:18:10 When issue an NMI over ipmi.... do we get a % of dump in the output? Last thing I saw in the output was dumping to /dev/zvol/dsk/zones/dump, offset 65536, content: kernel 22:18:43 I think I recall seeing a progress / percentage, think it might be hung to the point that it cant dump* 22:19:03 Its been 2 hours * 22:22:36 yes, there is normally progress. 22:22:58 I don't know when you should consider giving up, though 22:23:20 richlowe: Thats what I thought, I've punted the ball 22:46:28 does anyone have an example /etc/pam.conf that has sshd-pubkey example? I *suspect* my lack of any entries with that is the reason ssh is disconnecting when I try using a key. 22:46:46 "Access denied for user ansible by PAM account configuration [preauth]" is all I'm getting when running sshd -d on the server. 23:08:07 there is an undocumented pam debug facility that might tell you more what's going on 23:10:17 apparently my pubkey auth is not pam-y 23:10:54 [illumos-gate] 17760 qede: dereferencing freed memory -- Toomas Soome 23:12:21 nomad: if you grep 'PAM_DEBUG' you'll find the code for the facility jbk means 23:12:50 it might even be semi-documented in there, libpam/pam_framework.c 23:15:31 yeah... that alone made me excited about opensolaris, just because knowing about that allowed me to solve some problems at the time :) 23:16:11 (like being able to supply a password to change via stdin, because there was some bug at the time that the DBAs using expect kept triggering which would erase /etc/shadow) 23:16:42 ... which of course they setup to run across the entire production environment :P 23:17:29 I'm running sshd -ddd and getting things like "debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Permission denied)" and "Failed publickey for ansible from [redacted] port 62192 ssh2: RSA SHA256:[redacted]" but that's after it already said it had accepted that key. 23:17:57 ok, so the account managment bit of pam is denying access 23:18:22 (entries with 'account' in the second column) 23:18:49 PAM so flexible and yet so [redacted] 23:19:08 : || lvd@hvfs2 ansible [643] ; grep account /etc/pam.conf 23:19:08 cron account required pam_unix_account.so.1 23:19:08 cups account required pam_unix_account.so.1 23:19:08 gdm-autologin account sufficient pam_allow.so.1 23:19:08 # Used when service name is not explicitly mentioned for account management 23:19:09 other account requisite pam_roles.so.1 23:19:11 other account required pam_unix_account.so.1 23:19:27 is the account a role? 23:19:54 I have a stanza for 'sshd-kbdint' that only has auth. I tried duplicating that for sshd-pubkey but no change. 23:20:23 the account is, near as I can tell, a regular account. It was created by useradd. 23:20:45 IIRC, that's fine -- if it doesn't find the service name for that, it'll fall back to other 23:21:11 does it have a password set? or is it *LK* in /etc/shadow? 23:21:37 if you want something akin to ssh-only, you want NP (passwd -N), not *LK* (passwd -l) 23:21:45 *LK* 23:22:02 try passwd -N user and reconnect 23:22:31 *LK* means locked as in 'no access as all' 23:22:33 that fixed it. 23:22:42 thanks! 23:22:55 Now to try to figure out how to tell ansible that. 23:23:03 NP means 'you cannot authenticate using a password -- so some alternate means must be used to login (e.g. ssh key) 23:23:18 which is distinct from an empty password (no entry) 23:23:30 it trips people up sometimes 23:24:41 I wonder if ansible.builtin.user knows about that. 23:31:31 ah, I can just say 'password: "NP" and it does it... with a complaint. 23:36:56 ... and documented. 23:37:04 thanks for the fix!