https://community.hpe.com/t5/operating-system-hp-ux/ssh-activedirectory-ldap-hp-ux-11-11/m-p/4512658#M533672 I've discovered that Secure_Shell 5.10 on HP-UX 11.11 has some problems. I don't know if they're pre-existing, but they don't seem to be present on HP-UX 11.23.<BR /><BR />Firstly, if you enable "UseLogin yes" then X11 forwarding doesn't happen. <BR /><BR />If you set "UseLogin no" then you can login but you don't get LDAP-defined auxiliary groups. Any groups of which you are a member in /etc/group -- they work fine. Any groups which are defined in ActiveDirectory (LDAP) don't appear.<BR /><BR />Regardless of how you set UseLogin, if you run "ssh the-server some command" that command will run without any LDAP-defined auxiliary groups. (Because "login" doesn't get invoked at all in this situation regardless of UseLogin).<BR /><BR />Also, regardless of UseLogin or protocol version, if you get your password wrong, you will be prompted again for a password, but there's no point in typing anything because even if you get it right, you will be rejected. And the fun part is that you will get asked three times, which is just enough to have your login disabled in ActiveDirectory if you're running with a default group policy. ;-(<BR /><BR />Finally, for protocol version 2 (not protocol version 1), almost no pam.conf configuration works for password logins. The best I've been able to do is the following, in which you will get prompted for a password, then again prompted for "LDAP password". As long as you type your password<BR /><BR />sshd auth sufficient libpam_unix.1<BR />sshd auth sufficient libpam_ldap.1 try_first_pass<BR /><BR />Replacing "try_first_pass" with "use_first_pass" (which you would think would make sure there is only one password prompt) just makes it impossible to log in.<BR /><BR />Bizarrely, the "try_first_pass" configuration is fine for ssh version 1 and you only get asked once.<BR /><BR />This is all quite consistent across half a dozen HP-UX 11.11 boxes. And the 11.23 boxes chuff along merrily with none of these problems.<BR /><BR />----<BR /><BR />Anyone else seen this same behaviour, or am I going crazy?<BR /> Tue, 13 Oct 2009 05:27:32 GMT Gregory D Baker 2009-10-13T05:27:32Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-activedirectory-ldap-hp-ux-11-11/m-p/4512658#M533672 I've discovered that Secure_Shell 5.10 on HP-UX 11.11 has some problems. I don't know if they're pre-existing, but they don't seem to be present on HP-UX 11.23.<BR /><BR />Firstly, if you enable "UseLogin yes" then X11 forwarding doesn't happen. <BR /><BR />If you set "UseLogin no" then you can login but you don't get LDAP-defined auxiliary groups. Any groups of which you are a member in /etc/group -- they work fine. Any groups which are defined in ActiveDirectory (LDAP) don't appear.<BR /><BR />Regardless of how you set UseLogin, if you run "ssh the-server some command" that command will run without any LDAP-defined auxiliary groups. (Because "login" doesn't get invoked at all in this situation regardless of UseLogin).<BR /><BR />Also, regardless of UseLogin or protocol version, if you get your password wrong, you will be prompted again for a password, but there's no point in typing anything because even if you get it right, you will be rejected. And the fun part is that you will get asked three times, which is just enough to have your login disabled in ActiveDirectory if you're running with a default group policy. ;-(<BR /><BR />Finally, for protocol version 2 (not protocol version 1), almost no pam.conf configuration works for password logins. The best I've been able to do is the following, in which you will get prompted for a password, then again prompted for "LDAP password". As long as you type your password<BR /><BR />sshd auth sufficient libpam_unix.1<BR />sshd auth sufficient libpam_ldap.1 try_first_pass<BR /><BR />Replacing "try_first_pass" with "use_first_pass" (which you would think would make sure there is only one password prompt) just makes it impossible to log in.<BR /><BR />Bizarrely, the "try_first_pass" configuration is fine for ssh version 1 and you only get asked once.<BR /><BR />This is all quite consistent across half a dozen HP-UX 11.11 boxes. And the 11.23 boxes chuff along merrily with none of these problems.<BR /><BR />----<BR /><BR />Anyone else seen this same behaviour, or am I going crazy?<BR /> Tue, 13 Oct 2009 05:27:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-activedirectory-ldap-hp-ux-11-11/m-p/4512658#M533672 Gregory D Baker 2009-10-13T05:27:32Z https://community.hpe.com/t5/operating-system-hp-ux/ssh-activedirectory-ldap-hp-ux-11-11/m-p/4512659#M533673 No real advice by me. But did you notice that version 5.20 is available <A href="https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA" target="_blank">https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA</A> ? You should give it a try... maybe it works.<BR /><BR />My 2 cents,<BR />Armin<BR /> Wed, 14 Oct 2009 06:20:19 GMT https://community.hpe.com/t5/operating-system-hp-ux/ssh-activedirectory-ldap-hp-ux-11-11/m-p/4512659#M533673 Armin Kunaschik 2009-10-14T06:20:19Z