topic Re: ssh via token does not work (telnet works in Operating System - HP-UX

ssh via token does not work (telnet works

F Verschuren — Tue, 08 Jun 2010 10:23:26 GMT

Hi i have a server whitch we try to configgure so that if I login I have to use a (rsa) token

telnet works fine now however ssh still is a problem.

Is there a mismatch in the config file?

Re: ssh via token does not work (telnet works

TTr — Tue, 08 Jun 2010 11:08:04 GMT

It looks like you have configured ssh for authentication with rsa keys, not tokens.

Do you have an RSA agent (ACE client)installed in this server that would authenticate the token against the RSA server?

Re: ssh via token does not work (telnet works

F Verschuren — Tue, 08 Jun 2010 11:23:31 GMT

I have take over from a colega...
[nlxsts01:/root]# swlist -l product |grep PAM
HPUX-PAM-RADIUS A.01.00.00 HP-UX PAM RADIUS
PAM-Kerberos D.01.24 PAM-Kerberos Version 1.24
[nlxsts01:/root]#

cat /etc/pam.conf
#
# PAM configuration
#
# This pam.conf file is intended as an example only.
# see pam.conf(4) for more details
#

################################################################
# This sample file will authenticate the user who belongs to #
# either RADIUS or Unix system. Using this configuration file #
# if the user is authenticated through RADIUS then the Unix #
# authentication will not be invoked. However,if the RADIUS #
# authentication fails for the user, then the fallback #
# authentication mechanism PAM-Unix will be invoked to #
# authenticate the user.The assumption is the user is either #
# present in RADIUS or in Unix system. #
# #
# In case, the administrator wants the password for all the #
# users to be synchronous between RADIUS and Unix systems, #
# then the control flag should to be set to "required" for all #
# the entries with user_first_pass option set for pam_unix. #
# If password synchronization is optional then try_first_pass #
# option need to be set for pam_unix, so that the user can #
# login using the appropriate passwords. #
################################################################

#
# Authentication management
#
login auth sufficient libpam_radius.so.1 debug default_realm=atosorigin.com
login auth required libpam_unix.so.1 try_first_pass
su auth sufficient libpam_radius.so.1
su auth required libpam_unix.so.1 try_first_pass
dtlogin auth sufficient libpam_radius.so.1
dtlogin auth required libpam_unix.so.1 try_first_pass
dtaction auth sufficient libpam_radius.so.1
dtaction auth required libpam_unix.so.1 try_first_pass
ftp auth sufficient libpam_radius.so.1
ftp auth required libpam_unix.so.1 try_first_pass
sshd auth sufficient libpam_radius.so.1 debug
sshd auth required libpam_unix.so.1 debug try_first_pass
OTHER auth required libpam_unix.so.1
#
# Account management
#
login account required libpam_unix.so.1
su account required libpam_unix.so.1
dtlogin account required libpam_unix.so.1
dtaction account required libpam_unix.so.1
ftp account required libpam_unix.so.1
sshd account required libpam_unix.so.1 debug
OTHER account required libpam_unix.so.1
#
# Session management
#
login session sufficient libpam_radius.so.1
login session required libpam_unix.so.1
su session sufficient libpam_radius.so.1
su session required libpam_unix.so.1
dtlogin session sufficient libpam_radius.so.1
dtlogin session required libpam_unix.so.1
dtaction session sufficient libpam_radius.so.1
dtaction session required libpam_unix.so.1
ftp session sufficient libpam_radius.so.1
ftp session required libpam_unix.so.1
sshd session sufficient libpam_radius.so.1 debug
sshd session required libpam_unix.so.1
OTHER session required libpam_unix.so.1
#
# Password management
#
login password required libpam_unix.so.1
passwd password required libpam_unix.so.1
dtlogin password required libpam_unix.so.1
dtaction password required libpam_unix.so.1
OTHER password required libpam_unix.so.1

If I neet to plase more please give me the comands?

Re: ssh via token does not work (telnet works

F Verschuren — Tue, 08 Jun 2010 11:37:32 GMT

syslog.log:
ssh failure
Jun 8 14:31:49 nlxsts01 sshd[22532]: pam_radius_auth: Error sending RADIUS packet to server 127.0.0.1:1645: Error 0
Jun 8 14:31:49 nlxsts01 sshd[22532]: pam_radius_auth: Error sending RADIUS packet to server 161.89.57.7:1645: Error 0
Jun 8 14:31:49 nlxsts01 sshd[22532]: pam_radius_auth: Error sending RADIUS packet to server 161.89.145.76:1645: Error 0
Jun 8 14:31:49 nlxsts01 sshd[22532]: pam_radius_auth: All RADIUS servers failed to respond.

succes whit telnet
Jun 8 14:33:13 nlxsts01 login: pam_radius_auth: RADIUS server 127.0.0.1:1645 failed to respond

I have changed the sshd lines from the /etc/pam.conf so they look the same as login.

Re: ssh via token does not work (telnet works

TTr — Tue, 08 Jun 2010 11:37:33 GMT

Radius is different than RSA/ACE. You have radius authentication configured. What about RSA? Do you currently have an RSA server installed and are your users using tokens with other services or is this a new requirement?

Re: ssh via token does not work (telnet works

F Verschuren — Tue, 08 Jun 2010 11:51:07 GMT

Do you currently have an RSA server installed and are your users using tokens with other services?
Yes, I can login to this server using telnet and a token. hoever ssh does not works.

Re: ssh via token does not work (telnet works

TTr — Tue, 08 Jun 2010 12:10:51 GMT

As I said, radius is different than RSA. You need an RSA agent installed in this server to be able to use the token.

The radius error messages is a different issue. It is configured in the pam.conf on this server. You need to figure out what the requirements are for this server. Use radius or use RSA? You need to spend some time to become familiar with radius and RSA authentications.

Re: ssh via token does not work (telnet works

F Verschuren — Tue, 08 Jun 2010 12:36:13 GMT

if i configure /etc/pam.conf like:
login auth required libpam_hpsec.so.1
login auth required libpam_unix.so.1
I can telnet using a passwd

if I configere /etc/pam.conf like:
login auth sufficient libpam_radius.so.1 debug default_realm=atosorigin.com
login auth required libpam_unix.so.1 try_first_pass

I can login whit my keycart.

if I configgure ssh like:
sshd auth required libpam_hpsec.so.1
sshd auth required libpam_unix.so.1
I can login whit a password
if I configer it like:

sshd auth sufficient libpam_radius.so.1 debug default_realm=atosorigin.com
sshd auth required libpam_unix.so.1 try_first_pass
I first am asked for
Password:
Here I have to type my keycartnr
And then I am asked to type my
System Password:
After typing my passwd I am in...
Is there a way to remove the passwd part so I only have to type my keycart nr?

Re: ssh via token does not work (telnet works

F Verschuren — Tue, 08 Jun 2010 12:47:34 GMT

It seems to be I have simmulr problems like:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1433958

Re: ssh via token does not work (telnet works

F Verschuren — Tue, 08 Jun 2010 13:13:33 GMT

If I look whit tcpdump to look to the radus server "telnet" looks fine (and works)
/opt/iexpress/tcpdump/sbin]# tcpdump host 161.89.57.7
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan0, link-type EN10MB (Ethernet), capture size 96 bytes
16:01:06.963199 IP nlxsts01.18407 > scauts-eur2.ao-srv.com.1645: RADIUS, Access Request (1), id: 0x62 length: 126
16:01:06.984387 IP scauts-eur2.ao-srv.com.1645 > nlxsts01.18407: RADIUS, Access Reject (3), id: 0x62 length: 20
16:01:22.223135 IP nlxsts01.18407 > scauts-eur2.ao-srv.com.1645: RADIUS, Access Request (1), id: 0x9c length: 124
16:01:25.470077 IP scauts-eur2.ao-srv.com.1645 > nlxsts01.18407: RADIUS, Access Accept (2), id: 0x9c length: 26
16:01:26.473090 IP nlxsts01.18407 > scauts-eur2.ao-srv.com.1646: RADIUS, Accounting Request (4), id: 0x5a length: 76
16:01:26.474877 IP scauts-eur2.ao-srv.com.1646 > nlxsts01.18407: RADIUS, Accounting Response (5), id: 0x5a length: 20

But I do not see anny responce If I use ssh...
my pam.conf looks like:
sshd auth sufficient libpam_radius.so.1 debug
sshd auth required libpam_unix.so.1 debug try_first_pass
login auth sufficient libpam_radius.so.1 debug default_realm=atosorigin.com
login auth required libpam_unix.so.1 try_first_pass

Why does ssh does not like to conect to my radius server and telnet seems to work fine...

anny ID?

the syslog is also tells me it is trying to send a packet, however tcpdump does not see anything...
Jun 8 16:08:42 nlxsts01 sshd[17700]: pam_radius_auth: Error sending RADIUS packet to server 127.0.0.1:1645: Error 0
Jun 8 16:08:42 nlxsts01 sshd[17700]: pam_radius_auth: Error sending RADIUS packet to server 161.89.57.7:1645: Error 0
Jun 8 16:08:42 nlxsts01 sshd[17700]: pam_radius_auth: Error sending RADIUS packet to server 161.89.145.76:1645: Error 0
Jun 8 16:08:42 nlxsts01 sshd[17700]: pam_radius_auth: All RADIUS servers failed to respond.

anny sugestions are welcome.

Re: ssh via token does not work (telnet works

F Verschuren — Wed, 16 Jun 2010 13:46:15 GMT

I was using a IP adresses in /etc/raddb/server
After changing it to the full qualefide domain name.
ssh and radius workt fine. (found this in a other form:

It appears this may be a bug in the 64-bit version of the libpam_radius.so.1 shared object.