General
cancel
Showing results for 
Search instead for 
Did you mean: 

SSH (Secure Shell) A.05.10.006 and LDAP fails on trusted system (HP-UX 11iv1)

Han Barnat
Occasional Advisor

SSH (Secure Shell) A.05.10.006 and LDAP fails on trusted system (HP-UX 11iv1)

We have recently upgraded Secure Shell from A.05.00.024 to A.05.10.006.
The system we are using is a HP-UX 11iv1, a trusted system. We are also using LDAP as the resource for password authentication for a group of users.
This always worked fine, except after the last upgrade of Secure Shell.
The behaviour has been changed, only the local password is accepted, the LDAP password is no longer accepted. There have been no changes in the configuration files like /etc/pam.conf (which is in fact a copy of pam.ldap.trusted.)

There are no usefull error messages in the log file, using ssh with verbose messages (ssh -v) does not shown any problems.

It is also observed that after succesfully logging in using the local password, a sudo to root (sudo su -) is accepted when the LDAP password has been typed in. So the system does accept the LDAP password, but only when the first login has been passed using the local password. I can't explain why the sudo password check acts differently than the normal login.

Reverting back to the previous Secure Shell is possible (swinstall + option downgrade allowed), everything is running fine again and the LDAP password is accepted as usual.

The patch level of the 11iv1 is december 2008, using an older patch level does not change the above behaviour.

The LDAP server is running Red Hat Directory Server v7. (B.07.10.30), this server seems to be running fine. There are no issues with HP-UX clients running older releases of Secure Shell.

I have copied the pam.ldap to pam.conf for test purposes. This means a pam.conf configuration for a NON-trusted system running on a trusted system. This worked, however the first attempt to login failed. A second password entry with (again) the LDAP password is accepted however. So the sequence is slighty changed.
The original trusted pam.conf gives the option to enter the password again after a first failed attempt but then the LDAP password is not accepted at all. Only the local password is accepted.

Any ideas?
3 REPLIES
Steven E. Protter
Exalted Contributor

Re: SSH (Secure Shell) A.05.10.006 and LDAP fails on trusted system (HP-UX 11iv1)

Shalom,

Seems like you have hit a bug. I recommend reporting it and reverting to the previous version of Secure Shell.

If you have a support contract HP may make the version available to you if you don't happen to have it laying around.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Han Barnat
Occasional Advisor

Re: SSH (Secure Shell) A.05.10.006 and LDAP fails on trusted system (HP-UX 11iv1)

The problem has been resolved by placing a software support call at HP.

The fix is new release of Secure Shell A.5.10 which has not been released yet on the software.hp.com website.
The release info is:
A.05.10.033 for HP-UX 11i version 1

There will probably be newer release later which incorporate the fix.

So be sure to grab the latest A.5.10.xxx release to avoid any problems.

Han Barnat
Occasional Advisor

Re: SSH (Secure Shell) A.05.10.006 and LDAP fails on trusted system (HP-UX 11iv1)

See above comments.