topic Re: Trusted Systems and SSH in Operating System - HP-UX

Trusted Systems and SSH

corkbuster — Mon, 08 Sep 2003 12:32:59 GMT

Am deploying WRQ's Reflection Suite for X Version 10 so users can connect via X11 to HP-UX 11.00 system with HP Secure Shell 3.50.

Connections are fine. Problem arises when login messages are sent. Users are not seeing messages that "their password will expire in 10 days", " You are required to change your password" This only happens when X11 connections are made.

Before disabling telnet and ftp, this has to be resolved. Has anyone seen a similar problem?

Re: Trusted Systems and SSH

Bill Hassell — Mon, 08 Sep 2003 13:44:12 GMT

SSH is not telnet so some of the 'normal' login messages may not be seen. You can use /usr/lbin/getprpw daily to create a file with usernames and expiration days. Then /etc/profile can be modified to search through this file for the current user and produce the expiration message.

Re: Trusted Systems and SSH

Steven E. Protter — Mon, 08 Sep 2003 14:00:18 GMT

I would implement Bill's suggestion as follows:

/usr/lbin/getprpw > /tmp/expirelist.dat

in .profile

$EXPIRE=$(cat /tmp/expirelist.dat | grep -i $LOGNAME| wc -l)

if [ $EXPIRE -ge 1]
then

#
# Read the /tmp/expire.dat file in detail and echo days to expiration

echo "You password expires in X days do you want to change it(y/n)?"

read a

if [ "$a" = "y" ]
passwd
fi

Bill's idea creates good material to work with. I was stumped before he posted.

SEP

#

Re: Trusted Systems and SSH

corkbuster — Mon, 08 Sep 2003 14:38:48 GMT

Thank you, we were barking up the same tree, just needed a little syntax nudge.

The limitations of ssh connections, is becoming clearer.
1. login messages as described above are not seen when using X11 connections via SSH, but are seen when using SSH alone.

2. If an account requires a password change before continuing, or the account is locked, the SSH connection terminates without any reason shown the user.

Thanks for all your help

Re: Trusted Systems and SSH

Bill Hassell — Mon, 08 Sep 2003 21:14:28 GMT

Just a note about X11. It is VERY common for Xwindow configurations to bypass 'normal' logins. This is especially true for the 3 terminal emulators: dtterm, xterm and dtterm. This is easily fixed by placing a file called .Xdefaults in the HOME directory of the 11.0 server. Put the following string into it:

echo '*loginShell: true' > $HOME/.Xdefaults

This will set the default behavior for the terminal emulators to actually login and run /etc/profile, etc. You can add other Xresources to this file (see the man page for each client like dtterm)

Re: Trusted Systems and SSH

John de Villiers — Tue, 09 Sep 2003 09:57:46 GMT

we had the same problem with account expiries. we hadled it the following way.

disable expiry on all accounts. load pam_ntlm and let the users authenticate with their very same passwords they use on the NT domain. The NT domain can handle the expiry and everything.

John