topic Re: ssh problem in Operating System - HP-UX

ssh problem

sapi — Thu, 19 Jan 2006 21:01:40 GMT

dear,

I have hp server N4000, hpux 11.11
I have problem when ssh to my server, error message from system:

from syslog.log:
error: openpty: Bad file number
error: session_pty_req: session 0 alloc failed

from session (putty):
login: user1
PASSCODE : *******
Server refused to allocate pty

configuration in kernel:
npty 60 - 60
nstrpty 60 - 60
nstrtel 60 - 60

if we connect to server via telnet, there is no problem.

we used ssh softaware form hp, T1471AA_A.04.00.000_HP-UX_B.11.11_32+64.depot

any guest for this problem ??

thx

-yut-

Re: ssh problem

RAC_1 — Thu, 19 Jan 2006 21:04:51 GMT

Set all those settings to 1024 and create device files.

# cd /dev

# insf d pty s 1024 e v

# insf d ptm s 1024 e v

# insf -d telm s 1024 e v

# insf -d tels s 1024 e -v

Re: ssh problem

sapi — Thu, 19 Jan 2006 21:38:12 GMT

I just configure kernel parameter base on your comment:

user pasword use RSA secureID.
error message from syslog.log:

Jan 20 09:32:32 rstrtap2 sshd[2294]: illegal entry in pam.conf: missing field
Jan 20 09:32:43 rstrtap2 sshd[2294]: Accepted keyboard-interactive/pam for user1 from 10.2.133.150 port 3937 ssh2
Jan 20 09:32:43 rstrtap2 sshd[2294]: error: openpty: Bad file number
Jan 20 09:32:43 rstrtap2 sshd[2294]: error: session_pty_req: session 0 alloc failed

Re: ssh problem

RAC_1 — Thu, 19 Jan 2006 21:44:27 GMT

ssh is complainging about bad pam.cnf file. Did you do any changes there?? Just copy over the old /etc/pam.conf and try.

Re: ssh problem

sapi — Thu, 19 Jan 2006 21:48:19 GMT

# more /etc/pam.conf
#
# PAM configuration
#
# Authentication management
#
sshd auth required /usr/lib/security/pam_securid.1
login auth required /usr/lib/security/libpam_unix.1
su auth required /usr/lib/security/libpam_unix.1
dtlogin auth required /usr/lib/security/libpam_unix.1
dtaction auth required /usr/lib/security/libpam_unix.1
ftp auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1
#
test
# Account management
#
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_unix.1
#
OTHER account required /usr/lib/security/libpam_unix.1
#
# Session management
#
login session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_unix.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1
#
# Password management
#
login password required /usr/lib/security/libpam_unix.1
passwd password required /usr/lib/security/libpam_unix.1
dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1

/usr/lib/security/pam_securid.1 ==> use for RSA secureid

Re: ssh problem

Joseph Loo — Thu, 19 Jan 2006 22:33:42 GMT

hi yut,

so u have amended /etc/pam.conf by adding the sshd line? how abt reverting back to original and test it again.

also, u may like to install the latest version:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

regards.

Re: ssh problem

sapi — Thu, 19 Jan 2006 23:02:30 GMT

hi joseph,

i already install latest secure shell (T1471AA_A.04.20.004_HP-UX_B.11.11_32+64.depot), but we canot login to server via ssh yet. via telnet is no problem.this grep message at syslog.log:

Jan 20 10:57:52 rstrtap2 sshd[3677]: error: openpty: Error 0
Jan 20 10:57:52 rstrtap2 sshd[3719]: error: session_pty_req: session 0 alloc failed

Re: ssh problem

RAC_1 — Thu, 19 Jan 2006 23:34:49 GMT

Post sshd -ddd and ssh -vvv

Also, you sure that you did insf for device files?? Can you see additional device files now?? ll /dev/pty | wc -l

Re: ssh problem

sapi — Fri, 20 Jan 2006 01:08:30 GMT

yes, i'm sure, this:
# ll /dev/pty | wc -l
1025
You have mail in /var/mail/root
# cd /opt/ssh/etc
# ls
moduli ssh_host_key ssh_prng_cmds
ssh_config ssh_host_key.pub sshd_config
ssh_host_dsa_key ssh_host_rsa_key
ssh_host_dsa_key.pub ssh_host_rsa_key.pub
# more sshd_config
# $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /opt/ssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/ssh/etc/ssh_host_rsa_key
#HostKey /opt/ssh/etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#CountKeyAuthBadLogins no

# Auth selection
#
#HostbasedAuthAllowUsers
#HostbasedAuthDenyUsers
#PubkeyAuthAllowUsers
#PubkeyAuthDenyUsers
#KerberosAuthAllowUsers
#KerberosAuthDenyUsers
#KerberosOrLocalPasswdAllowUsers
#KerberosOrLocalPasswdDenyUsers
#PasswordAuthAllowUsers
#PasswordAuthDenyUsers
#ChallRespAuthAllowUsers [pam] user1 user2 ...
#ChallRespAuthDenyUsers [pam] user1 user2 ...
#ChallRespAuthAllowUsers [bsdauth] user1 user2 ...
#ChallRespAuthDenyUsers [bsdauth] user1 user2 ...
#ChallRespAuthAllowUsers [skey] user1 user2 ...
#ChallRespAuthDenyUsers [skey] user1 user2 ...
#ChallRespAuthAllowUsers [securid] user1 user2 ...
#ChallRespAuthDenyUsers [securid] user1 user2 ...
#GSSAPIAuthAllowUsers
#GSSAPIAuthDenyUsers

RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#EnforceSecureTTY no
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /opt/ssh/libexec/sftp-server

# sftp-server logging
#LogSftp no
#SftpLogFacility AUTH
#SftpLogLevel INFO

# sftp-server umask control
#SftpUmask
#SftpPermitChmod yes
#SftpPermitChown yes

# more ssh_config
# $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
HashKnownHosts yes
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2
56-cbc

Re: ssh problem

sapi — Mon, 23 Jan 2006 01:48:05 GMT

configure at sshd_config