topic Re: help connection openssh in Operating System - HP-UX

help connection openssh

Jairo Campana — Tue, 04 May 2004 15:27:52 GMT

hello , I installed my openssh_3.7.1p2
when connect a user
obtaing acces_denied
login as: test
password:
Access denied

the syslog :
May 4 17:04:25 whdux1 sshd[4784]: Failed password for illegal user test from 172.31.195.241 port 3723
May 4 17:14:17 whdux1 above message repeats 2 times
May 4 17:14:17 whdux1 sshd[4933]: User test not allowed because account is locked
May 4 17:14:17 whdux1 sshd[4933]: Failed none for illegal user test from 172.31.195.241 port 3771
May 4 17:14:22 whdux1 sshd[4933]: Failed password for illegal user test from 172.31.195.241 port 3771

after run command /usr/lbin/modprpw -k test
reset to passwd test

run /usr/local/sbin/sshd -v in mode debug

whdux1 # /usr/local/sbin/sshd -d
debug1: sshd version OpenSSH_3.7.1p2
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 24 on 0.0.0.0.
Server listening on 0.0.0.0 port 24.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 172.31.195.241 port 3774
debug1: Client protocol version 1.5; client software version PuTTY
debug1: no match: PuTTY
debug1: Local version string SSH-1.99-OpenSSH_3.7.1p2
debug1: permanently_set_uid: 103/101
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: 3des
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
User test not allowed because account is locked
debug1: do_authentication: illegal user test
debug1: Attempting authentication for illegal user test.
Failed none for illegal user test from 172.31.195.241 port 3774
Failed password for illegal user test from 172.31.195.241 port 3774
Failed password for illegal user test from 172.31.195.241 port 3774
Failed password for illegal user test from 172.31.195.241 port 3774
Failed password for illegal user test from 172.31.195.241 port 3774

I probe with telnet, and it works
in telnet whe execute pwd obtaing:
$ pwd
sh: : Cannot access parent directories.
$grep test /etc/passwd
$test:*:108:20::/home/test:/sbin/sh

$grep sshd /etc/passwd
sshd:*:103:101:sshd privsep:/usr/local/var/empty:/bin/false

as it can be the problem

thanks

Re: help connection openssh

Gary L. Paveza, Jr. — Tue, 04 May 2004 15:36:26 GMT

The log indicates that the user account test is locked. Try the following:

passwd -d test

Then try your ssh connection again.

Re: help connection openssh

Jeff Schussele — Tue, 04 May 2004 15:44:02 GMT

Hi Jairo,

I agree with Gary - acct is locked not disabled & the passwd -d username will unlock it BUT it will also allow it to have NO PW - so also run passwd -f username on the acct to force a PW change. You never want null PW accts on any system

My 2 cents,
Jeff

Re: help connection openssh

Jairo Campana — Tue, 04 May 2004 15:44:03 GMT

my post it says unlock
after run command /usr/lbin/modprpw -k test
reset to passwd test

passwd -d /test

option -d -d Allow user to login without a password by deleting it.

in mode truste system no its permit
whdux1 # passwd -d test
You are not allowed to have a null password.

Re: help connection openssh

G. Vrijhoeven — Tue, 04 May 2004 15:45:06 GMT

Hi Jario,

Might be s stupid comment but:
Did you configure a trusted system, or did you just put a * in the passwd for security reasons. If not the * disables an account on HPUX. And can explain the error you are getting.

HTH,

Gideon

Re: help connection openssh

generic_1 — Mon, 16 Sep 2024 09:22:25 GMT

Run a /usr/lbin/getprpw username and look over the output. Even though you did a modprpw -k I have seen instances where say you created a test account but never set a password on a trusted system and the account is still locked because of a no null password rule or that the account has expired past its time limit.

Re: help connection openssh

Jairo Campana — Wed, 05 May 2004 15:50:27 GMT

G. Vrijhoeven , no no is stupid I delete the * in /etc/passwd

test::108:20::/home/test:/sbin/sh
and it works
after change password
passwd test

and it works , connect to server using openssh
my questions is :
I must do this with all the users

Re: help connection openssh

Denver Osborn — Wed, 05 May 2004 22:23:34 GMT

How are you adding the users to the system? Is it all scripted?

If by any chance you're adding them directly to /etc/passwd then running pwconv, it will leave the prpwd entry with *... making the account locked out. Once a password is generated for the user (manually w/ passwd username), the account would become enabled.

-denver

Re: help connection openssh

Jairo Campana — Thu, 06 May 2004 13:08:43 GMT

the user create with username

username -d /home/test -s /sbin/bash test

the problem is with UsePrivilegeSeparation of openssh in sshd_config

Re: help connection openssh

Jairo Campana — Fri, 07 May 2004 07:28:42 GMT

solved my problem , installe ssh secure HPUX

Privilege separation, or privsep, is method in OpenSSH by which
operations that require root privilege are performed by a separate
privileged monitor process. Its purpose is to prevent privilege
escalation by containing corruption to an unprivileged process.
More information is available at:
6: http://www.citi.umich.edu/u/provos/ssh/privsep.html

the problem is with Privilege separation of openssh :
http://www.chiark.greenend.org.uk/ucgi/~cjwatson/cvsweb/openssh/README.privsep?annotate=1.1.1.4

Privsep requires operating system support for file descriptor passing.
Compression will be disabled on systems without a working mmap MAP_ANON.PAMM-enabled OpenSSH is known to function with privsep on Linux.
It does not function on HP-UX with a trusted system

Re: help connection openssh

Denver Osborn — Fri, 07 May 2004 07:48:09 GMT

Thanks! You also solved one of my problems by posting that info! I compiled openssh from source using a patch that adds RSA SecurID support... long story short.. I though the logname cmd was broke but it turns out that UsePrivSeperation was on by default and it caused logname to fail. Turning it off in sshd_config solved my problem. Woo-hoo!

thanks Jairo, I owe you 10pts

-denver