topic Re: openssh connect problem in Operating System - HP-UX

openssh connect problem

Bill Jenkins_1 — Wed, 27 Aug 2003 12:05:23 GMT

I am having the same problem as the following post but I do not understand why.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x3388227a6ab4d711900a0090279cd0f9,00.html

This post was a while back and it indicates a different version of openssh than the one I am using. Which according to this post is supposed to be a "known good binary version".

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xcada68da2286d711abdc0090277a778c,00.html

I do not understand that "the problem is not with the HP Box" but with ssh indicating that it might be the client but I do not understand how that could be. At any rate, I do not have access to a machine to compile the patch.

Has anyone else run into this problem? I have to believe it is a configuration problem.

Re: openssh connect problem

RolandH — Wed, 27 Aug 2003 12:46:22 GMT

The patch programm is not part of the base OS.
You can download it from
http://big.asknet.de/hppd/hpux/Sysadmin/patch-2.5.4/
( the 11.00 version will work for 11.11, too)

If it not works try the ssh client from HP.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

HTH
Roland

Re: openssh connect problem

Steven E. Protter — Wed, 27 Aug 2003 12:51:51 GMT

It might actually be a problem on your HP box. If you are running a compiled version of openssh instead of...

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

You might not have pam integration correct.

You also might want to check this:

swlist -l product | grep -i pam

Make sure pam is installed on the HP-UX box. If not, its on the Application CD's and available at http:/software.hp.com

SEP

Re: openssh connect problem

RolandH — Wed, 27 Aug 2003 13:02:05 GMT

Have you installed the patches
PHCO_24839 or
PHCO_27037

Check this.

HTH
Roland

Re: openssh connect problem

Andrew Cowan — Thu, 28 Aug 2003 05:55:07 GMT

I used this patch (that I downloaded from a forum somewehere near here) and it cured all my PAM problems:

================

cat > hp_pam.patch

diff -r -c openssh-3.4p1/auth-pam.c openssh-3.4p1-dw/auth-pam.c
*** openssh-3.4p1/auth-pam.c Tue May 7 21:27:56 2002
--- openssh-3.4p1-dw/auth-pam.c Mon Jul 15 15:37:57 2002
***************
*** 294,299 ****
--- 294,311 ----
session_opened = 1;
}

+ /* Set the TTY after session is open */
+ void do_pam_set_tty(const char *ttyname) {
+ int pam_retval;
+ if (ttyname != NULL) {
+ debug("PAM setting tty to \"%.200s\"", ttyname);
+ pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname);
+ if (pam_retval != PAM_SUCCESS)
+ fatal("PAM set tty failed[%d]: %.200s",
+ pam_retval, PAM_STRERROR(__pamh, pam_retval));
+ }
+ }
+
/* Set PAM credentials */
void do_pam_setcred(int init)
{
diff -r -c openssh-3.4p1/auth-pam.h openssh-3.4p1-dw/auth-pam.h
*** openssh-3.4p1/auth-pam.h Thu Apr 4 13:02:28 2002
--- openssh-3.4p1-dw/auth-pam.h Mon Jul 15 15:36:34 2002
***************
*** 12,17 ****
--- 12,18 ----
int do_pam_authenticate(int flags);
int do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, const char *ttyname);
+ void do_pam_set_tty(const char *ttyname);
void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);
diff -r -c openssh-3.4p1/session.c openssh-3.4p1-dw/session.c
*** openssh-3.4p1/session.c Wed Jun 26 08:51:06 2002
--- openssh-3.4p1-dw/session.c Tue Jul 16 07:52:35 2002
***************
*** 461,467 ****
session_proctitle(s);

#if defined(USE_PAM)
- do_pam_session(s->pw->pw_name, NULL);
do_pam_setcred(1);
if (is_pam_password_change_required())
packet_disconnect("Password change required but no "
--- 461,466 ----
***************
*** 579,585 ****
ttyfd = s->ttyfd;

#if defined(USE_PAM)
! do_pam_session(s->pw->pw_name, s->tty);
do_pam_setcred(1);
#endif

--- 578,584 ----
ttyfd = s->ttyfd;

#if defined(USE_PAM)
! do_pam_set_tty(s->tty);
do_pam_setcred(1);
#endif

***************
*** 1204,1209 ****
--- 1203,1215 ----
* Reestablish them here.
*/
do_pam_setcred(0);
+
+ /*
+ * We need to open the session here because PAM on HP-UX does not
+ * work after the call to permanently_set_uid.
+ */
+ do_pam_session(pw->pw_name,NULL);
+
# endif /* USE_PAM */
# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
irix_setusercontext(pw);

======================

Now patch the source-code as follows: patch ???p1 < hp_pam.patch

To do the compile I used:

cat > make_ssh
if [[ -r ./config.status ]] ; then
rm ./config.status
fi

sh ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --with-tcp-wrappers --with-pid-dir=/var/run/sudo --with-ssl-dir=/usr/local/ssl --with-authenticate --with-logging=file --with-goodpri=info --with-badpri=warning --without-mail-if-no-user --with-passprompt="Enter Your Password: " --with-umask=027 --with-timeout=5 --with-password-timeout=1 -tempdir=/var/tmp ???disable-suid-ssh --with-chroot --without-scard --disable-root-sudo | tee /tmp/sshbuild.log && make && make install-nokeys

====

Run sh make_ssh, et viola!

Good luck,
Andrew

Re: openssh connect problem

Bill Jenkins_1 — Thu, 28 Aug 2003 13:03:31 GMT

I appreciate the answers here. The System Admin and myself will need to consider how we will proceed. I am leaning toward using the HP ssh server.

I will update the thread with the action we took.

Re: openssh connect problem

Paulo A G Fessel — Thu, 28 Aug 2003 13:09:35 GMT

Quick solver. I've run into this just yesterday.

Edit your sshd_config file and change the line

#UsePrivilegeSeparation yes

to

UsePrivilegeSeparation no

Then, restart sshd. You should be able to login. I'm saying you this because the published patch didn't solve my problems.

HTH
Paulo Fessel

Re: openssh connect problem

Sorrel G. Jakins — Thu, 28 Aug 2003 22:21:07 GMT

We converted to HP's distribution of ssh and haven't had a problem since.