- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: OpenVMS SSH Login Issues and Passwords
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-01-2009 07:13 AM
тАО04-01-2009 07:13 AM
OpenVMS SSH Login Issues and Passwords
Site runs 2 x OpenVMS/Alpha 7.3-2, patched as recently as possible. TCPIP Services for OpenVMS/Alpha 5.4 ECO 7. SSH "-V" gets back "SSH Secure Shell OpenVMS (V5.5) 3.2.0 and AlphaServer ES40 - VMS V7.3-2"
One server is a production system, the other is the test/development box for the production system. Identically configured except for the specific disks they talk to. Separate system disks, but one is a copy of the other, different only in the network specifics like interface names and numbers, domain names, etc. The SSHD2_CONFIG files are an exact copy of one another except for server key names (KEY_22_NODE_DOMAIN_ etc etc etc).
Both machines are configured via password policy module to require complex passwords with upper case, lower case, punctuation, and digits. Users are required to have passwords not less than 9 characters; some are set higher due to privileges on their account. This is a DoD machine so I'm required to make it that complex. These features were tested before and after enabling SSH. No problems noted at any time. The policy module ONLY looks at the clear-text password and says OK or BAD.
Our environment has SOME user accounts that log in batch-mode, server to server, using RSA 1024 or higher keys. No problems there.
The problem user is in the group that uses interactive sessions. They are allowed to log in via password exchange but must have the server's key on their client desktop machine. The ones who use passwords cannot use RSA keys because of DoD regulations about the keys they are required to use from workstations.
The servers in question are running as SSH servers to a series of Windows clients running Reflections v 14.0 or later. We are configured to use protocol 2 only, all the ciphers and hashes are allowed EXCEPT "none." The "Re-use existing session if possible" is UNCHECKED. (Doesn't work right if you check it.)
We have two NICs on the box, one to a purely in-house network not exposed to the outside world, on which TELNET is still allowed. Very short-run network, and our users are nation-wide if not world-wide, so putting them on the TELNET-only network is not an option. We have an interface exposed to the world on which ONLY SSH-style login is allowed.
OK, enough configuration and architecture:
I have a user who has problems logging in to the test/dev box but not the production box. I have been able to sporadically duplicate the conditions but so far haven't found out why, and there is no regularity to it. Sometimes it happens, sometimes not.
She clicks the pre-defined Reflections icon that includes the host name and her username, gets the "enter password for username" challenge OK, and enters her password. She claims to have a 20-character password on the production box, which likes what she does and lets her in. The same password on the test/dev box does not let her in.
So I thought, maybe the passwords somehow got desynchronized. After warning the other developers, I copied the production SYSUAF file to the test/dev box - but my problem user is still unable to log in. Keeps getting a request for the account's password - which is typical behavior for failing login.
Eventually it tosses her off when it reaches three failed attempts. She shows up in the intrustion list. I reset that list. She tries again. Fails again.
If I then manually change the password on the test/dev account to something that she has to change at next login, she can get in on the next attempt AND the change works fine. All this time, she still has no problem on the production box. The date of last password change on either account is less than a week old at the time this happens, and her password lifetime is 60 days, so it was not an expired password. Her login flags don't have DisUser set, so that's not it.
Other symptoms & comments: I have a 15-character password on both systems. Using the in-house sub-net that allows TELNET, I can get in OK. Using the other network and the same exact password, it locked up on me this morning via SSH. Once it locks up, I can't get in on that subnet - but still can log in with the same password on the TELNET-allowed subnet.
I check for intruder records and sure enough, I'm listed as an intruder. From the TELNET session I delete the intruder records, wait a couple of seconds, and try again. Still locked up.
Later on in the day, both networks let me in via SSH on the same password, no hesitations. This smells to high heaven like there's a hidden timing issue that I'm not controlling and not aware of. But the manual that came with the SSH download doesn't seem to address this kind of timing issue.
Anyone out there have any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-01-2009 08:57 AM
тАО04-01-2009 08:57 AM
Re: OpenVMS SSH Login Issues and Passwords
Craig
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-01-2009 09:19 AM
тАО04-01-2009 09:19 AM
Re: OpenVMS SSH Login Issues and Passwords
I get audit entries where it updates her UAF record with SYSUAFRECMOD (I guess to update her login failure count). Closely coupled to that, based on time stamps, is "NETLOGFAI" with sub-error "NOTVALID" error and after a few tries, "NETBREDET" with sub-error "EVADE."
In either case, the time stamps show the SYSUAF update and the login failure to be at the same time of day to the second.
Thing is, when I clear the evasion database, that doesn't seem to be enough. My problem is that everything looks exactly right for it to be fat-fingering - except that it happened to ME. So I switched from touch-type to hunt-n-peck mode to be flat-out sure I got it right. With intrusion database emptied, still no joy. Until an hour later it let me in again - WITHOUT my password being changed from when it failed.
I am wondering if emptying out the intrusion database with $ DELETE/INTRUSION * isn't enough to make the system let people back in.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-01-2009 09:31 AM
тАО04-01-2009 09:31 AM
Re: OpenVMS SSH Login Issues and Passwords
Can you post an example audit record please.
Craig
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-01-2009 09:51 AM
тАО04-01-2009 09:51 AM
Re: OpenVMS SSH Login Issues and Passwords
A sample of the UAF update (of login failures)
Security alarm (SECURITY) and security audit (SECURITY) on RHSC05, system id: 20492
Auditable event: System UAF record modification
Event time: 23-MAR-2009 15:10:46.97
PID: 00000477
Process name: TCPIP$SSH_BG594
Username: TCPIP$SSH
Process owner: [TCPIP$AUX,TCPIP$SSH]
Image name: $1$DGA1:[SYS0.SYSCOMMON.][SYSEXE]TCPIP$SSH_SSHD2.EXE
Object class name: FILE
Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;6
User record: {obscured}
Flags: New: DISCTLY,DEFCLI,DISRECONNECT,PWDMIX
Original: DISCTLY,DEFCLI,DISRECONNECT,PWDMIX
Login failures: New: 1
Original: 0
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)
A sample of the "password not valid" followed by an evasion record.
Security alarm (SECURITY) and security audit (SECURITY) on RHSC05, system id: 20492
Auditable event: Network breakin detection
Event time: 27-MAR-2009 08:29:16.47
PID: 00001145
Process name: TCPIP$SS_BG8846
Username: {obscured}
Password:
Remote node fullname: SSH_PASSWORD:10.29.12.56
Remote username: {obscured}(LOCAL)
Status: %LOGIN-F-NOTVALID, user authorization failure
Security alarm (SECURITY) and security audit (SECURITY) on RHSC05, system id: 20492
Auditable event: Network breakin detection
Event time: 27-MAR-2009 08:29:26.25
PID: 00001145
Process name: TCPIP$SS_BG8846
Username: {obscured}
Password:
Remote node fullname: SSH_PASSWORD:10.29.12.56
Remote username: {obscured} (LOCAL)
Status: %LOGIN-F-EVADE, break-in evasion in effect
NOTE that the password is listed as
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-02-2009 03:56 PM
тАО04-02-2009 03:56 PM
Re: OpenVMS SSH Login Issues and Passwords
You say they are identically configured, are you referring to SSH? Is there a difference in the config file SSH2_CONFIG. on each server?
What about when the service locks up? What is "tcpip show service ssh /full" saying?
Does "netstat -an" or other derivative give you any clues when it "locks up"? CLOSE_WAIT state perhaps?
Are the sysconfig settings the same on both hosts: "tcpip sysconfig -q net"?
Regards
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-03-2009 05:44 AM
тАО04-03-2009 05:44 AM
Re: OpenVMS SSH Login Issues and Passwords
"You say they are identically configured, are you referring to SSH? Is there a difference in the config file SSH2_CONFIG. on each server?"
Yes to 1st, slight differences to 2nd. The SSHD2_CONFIG files are the same except that the host key names are different. This is not a cluster so they don't share a common key. The server's SSH2_CONFIG file isn't in play because this is a Non-VMS SSH client. The client configs are Windows workstation-related and are identical except for node name to which the user connects. I've gone over the Reflections configuration until I'm blue in the face. (Good thing blue is one of my good colors.)
"What about when the service locks up? What is "tcpip show service ssh /full" saying?"
The same on both servers, whatever it is.
"Does "netstat -an" or other derivative give you any clues when it "locks up"? CLOSE_WAIT state perhaps?"
Have to admit I hadn't tried that one. I'll add it to my list for the next time this happens.
"Are the sysconfig settings the same on both hosts: "tcpip sysconfig -q net"?"
Other than a difference in the usage levels as reflected by the ovms_unit_count and ovms_unit_creates, they are the same. Also a difference in ovms_unit_seed, but I'm not sure what that is and whether being different makes a difference for this problem. The arp??? stuff is the same. The unit limit, min, max, and fast_credel are the same. The lo_def_ip_mtu is the same. The ifqmaxlen is the same.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2009 12:50 AM
тАО05-08-2009 12:50 AM
Re: OpenVMS SSH Login Issues and Passwords
We have had a similar problem using SSH from Linux to VMS.
User failed at logon.
We changed password via SET PASS and he could log in.
Changed password via AUTHORIZE MOD USER /PASS=... and he couldn't.
No idea why this is so. Yet !
DBM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2009 03:24 AM
тАО05-08-2009 03:24 AM
Re: OpenVMS SSH Login Issues and Passwords
If a password is set by AUTHORIZE, then it is set to /PWDEXPIRED by default.
Do AUTHORIZE modify user/passw=pass /NOPWDEXP the next time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2009 03:50 AM
тАО05-08-2009 03:50 AM