topic Re: Trust System + ssh in Operating System - HP-UX

Trust System + ssh

yaron daniel — Thu, 28 Jul 2005 04:16:35 GMT

Hi all

I move my system to Trust-System mode, and now i can not login to the system with ssh:
I get the password promt and after writing the password i get connection closed.
It worked before the move to Turst-System, it looks like configuration problem (maybe at pam) ??? i do not have many much data at the syslog.log file. any tips ...

Re: Trust System + ssh

Simon Hargrave — Thu, 28 Jul 2005 04:19:46 GMT

Perhaps you could post: -

- any errors in syslog
- any errors you see on screen
- your /etc/sshd/sshd_config file

Re: Trust System + ssh

Michael Selvesteen_2 — Thu, 28 Jul 2005 06:44:29 GMT

Please tell us the version of SSH server and client. The debug ouput from server and client will also be helpful.

Some things to try

1.Normally, when the system is converted to Trusted mode all the users passwords are expired. - Check whether your password had expired.

2. Do you use NIS or NIS+?

Re: Trust System + ssh

Mauro Gatti — Thu, 28 Jul 2005 06:50:44 GMT

Are you able to login via console?

Re: Trust System + ssh

Mauro Gatti — Thu, 28 Jul 2005 06:57:10 GMT

If you are not able to login in any way (console included) have a look at your /etc/nsswitch.conf file
I got your same problem converting my server after a new installation.
Some configuration of nsswitch.file are not supported by trusted systems.
I correct my nsswitch file using only files and dns (not "compact" entries) and it has come back to work fine.

Re: Trust System + ssh

Muthukumar_5 — Thu, 28 Jul 2005 07:00:54 GMT

Is it working for other login services?
Try to enable verbose with ssh -vvv and post output.

hth.

Re: Trust System + ssh

yaron daniel — Sun, 31 Jul 2005 03:09:53 GMT

Hello All

I install this version: T1471AA A.04.00.000 HP-UX Secure Shell.
I do not user NIS or NIS+, Here is the output file of with all the answers:

Re: Trust System + ssh

Michael Selvesteen_2 — Sun, 31 Jul 2005 23:34:49 GMT

Hmm...From your logs everything seems to be normal. To broaden the analysis, please post your server debug messages.

Use /opt/ssh/sbin/sshd -ddde for debug output

Re: Trust System + ssh

generic_1 — Mon, 01 Aug 2005 01:20:07 GMT

Hello.
When you convert your system to trusted accounts tend to get locked. for a variety of reasons.

run /usr/lbin/getprpw accountname

look and make sure the lockout= is all 0s and alock= is no or false.

You can correct a locked account with
/usr/lbin/modprpw -k username
or -v to reset expire time.

also as far as ssh you will be prompted for your password unless you have valid keys on both sides setup correctly and you have a null passphrase. Double check your permissions/owerships too on the key files and directories. That can cause you grief too :) and security problems too.

Re: Trust System + ssh

yaron daniel — Mon, 01 Aug 2005 02:39:22 GMT

Hi
Here is the output of the sshd with debug.

Re: Trust System + ssh

Mauro Gatti — Mon, 01 Aug 2005 03:21:50 GMT

Try to check home directory and $HOME/.ssh directory permissions of user who is making connection.
Home have to be at least 755 (drwxr-xr-x) and .ssh have to be 700 (drwx------)

RGDS

Mauro

Re: Trust System + ssh

Michael Selvesteen_2 — Mon, 01 Aug 2005 04:00:28 GMT

Hello Daniel,

I guess you have missed to attach the debug file. Please attach it.

Also that, once the system is converted to trusted, the ssh login process will be as shown below

# ssh -l localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 6a:e4:7d:67:93:78:39:29:4e:ab:6b:af:98:00:37:8f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Password:
Last successful login for : Mon Aug 1 17:04:51 IST-5:30 2005
Last unsuccessful login for : NEVER
Your password has expired.
Changing password for
Old password:

These messgaes are not present in your logs. If possible try to convert back to normal system and use /etc/tsconvert to convert again to trusted.

Re: Trust System + ssh

yaron daniel — Wed, 03 Aug 2005 11:29:01 GMT

Hi

Sorry here is the file:

I also convert back the system and ssh works great, convert to trust-system again, ssh dows not work.

Re: Trust System + ssh

Ermin Borovac — Wed, 03 Aug 2005 19:05:44 GMT

Just a guess but does it work with privilege separation turned off?

In /opt/ssh/etc/sshd_config set

UsePrivilegeSeparation no

and restart sshd.

BTW as other folks have requested you should really provide most detailed debug trace (e.g. with -ddd). It looks like you ran sshd with only one -d.

Re: Trust System + ssh

Denver Osborn — Wed, 03 Aug 2005 20:04:18 GMT

also try password auth with your ssh client connection. From your last sshd debug output, it didn't try passwd auth but instead keybd interactive... that's where it failed. See if you get better results w/ password auth and if it's good we'll troubleshoot from there.

ssh -vvv -o PreferredAuthentications=password username@hostname

hope this helps,
-denver

Re: Trust System + ssh

generic_1 — Wed, 03 Aug 2005 20:04:47 GMT

check your accoutnts you are using with /usr/lbin/getprpw username
make sure they didnt get locked or expired after confverting.

I posted how to fix those above.

Also glance at /etc/securetty and more sure its ok. Have you tried an account beside root?

Re: Trust System + ssh

yaron daniel — Thu, 04 Aug 2005 02:54:35 GMT

Hi All

I try :
ssh -vvv -o PreferredAuthentications=password username@hostname, and it works !!!
But i did not find this option in the ssh_config or sshd_config files.
How can i make it permanent ?

10x

Re: Trust System + ssh

Denver Osborn — Thu, 04 Aug 2005 06:05:22 GMT

good deal. looks like something w/ pam and going to trusted. I don't have anytime to look at it, but might later. try a search in the forums for "sshd pam trusted" to see what's out there.

-denver

Re: Trust System + ssh

Todd Whitcher — Thu, 04 Aug 2005 06:39:09 GMT

In the ./ssh/ssh_config configure

PreferredAuthentications password