Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

OpenVMS SSH Login Issues and Passwords

Richard W Hunt
Valued Contributor

OpenVMS SSH Login Issues and Passwords

Apologies that this is a bit long, but I didn't want to leave out config info that might help someone figure out what's up.

Site runs 2 x OpenVMS/Alpha 7.3-2, patched as recently as possible. TCPIP Services for OpenVMS/Alpha 5.4 ECO 7. SSH "-V" gets back "SSH Secure Shell OpenVMS (V5.5) 3.2.0 and AlphaServer ES40 - VMS V7.3-2"

One server is a production system, the other is the test/development box for the production system. Identically configured except for the specific disks they talk to. Separate system disks, but one is a copy of the other, different only in the network specifics like interface names and numbers, domain names, etc. The SSHD2_CONFIG files are an exact copy of one another except for server key names (KEY_22_NODE_DOMAIN_ etc etc etc).

Both machines are configured via password policy module to require complex passwords with upper case, lower case, punctuation, and digits. Users are required to have passwords not less than 9 characters; some are set higher due to privileges on their account. This is a DoD machine so I'm required to make it that complex. These features were tested before and after enabling SSH. No problems noted at any time. The policy module ONLY looks at the clear-text password and says OK or BAD.

Our environment has SOME user accounts that log in batch-mode, server to server, using RSA 1024 or higher keys. No problems there.

The problem user is in the group that uses interactive sessions. They are allowed to log in via password exchange but must have the server's key on their client desktop machine. The ones who use passwords cannot use RSA keys because of DoD regulations about the keys they are required to use from workstations.

The servers in question are running as SSH servers to a series of Windows clients running Reflections v 14.0 or later. We are configured to use protocol 2 only, all the ciphers and hashes are allowed EXCEPT "none." The "Re-use existing session if possible" is UNCHECKED. (Doesn't work right if you check it.)

We have two NICs on the box, one to a purely in-house network not exposed to the outside world, on which TELNET is still allowed. Very short-run network, and our users are nation-wide if not world-wide, so putting them on the TELNET-only network is not an option. We have an interface exposed to the world on which ONLY SSH-style login is allowed.

OK, enough configuration and architecture:

I have a user who has problems logging in to the test/dev box but not the production box. I have been able to sporadically duplicate the conditions but so far haven't found out why, and there is no regularity to it. Sometimes it happens, sometimes not.

She clicks the pre-defined Reflections icon that includes the host name and her username, gets the "enter password for username" challenge OK, and enters her password. She claims to have a 20-character password on the production box, which likes what she does and lets her in. The same password on the test/dev box does not let her in.

So I thought, maybe the passwords somehow got desynchronized. After warning the other developers, I copied the production SYSUAF file to the test/dev box - but my problem user is still unable to log in. Keeps getting a request for the account's password - which is typical behavior for failing login.

Eventually it tosses her off when it reaches three failed attempts. She shows up in the intrustion list. I reset that list. She tries again. Fails again.

If I then manually change the password on the test/dev account to something that she has to change at next login, she can get in on the next attempt AND the change works fine. All this time, she still has no problem on the production box. The date of last password change on either account is less than a week old at the time this happens, and her password lifetime is 60 days, so it was not an expired password. Her login flags don't have DisUser set, so that's not it.

Other symptoms & comments: I have a 15-character password on both systems. Using the in-house sub-net that allows TELNET, I can get in OK. Using the other network and the same exact password, it locked up on me this morning via SSH. Once it locks up, I can't get in on that subnet - but still can log in with the same password on the TELNET-allowed subnet.

I check for intruder records and sure enough, I'm listed as an intruder. From the TELNET session I delete the intruder records, wait a couple of seconds, and try again. Still locked up.

Later on in the day, both networks let me in via SSH on the same password, no hesitations. This smells to high heaven like there's a hidden timing issue that I'm not controlling and not aware of. But the manual that came with the SSH download doesn't seem to address this kind of timing issue.

Anyone out there have any ideas?
Sr. Systems Janitor
10 REPLIES
Craig A
Valued Contributor

Re: OpenVMS SSH Login Issues and Passwords

The first thign I would so is to enable security audits for login failures and see what throws up.

Craig
Richard W Hunt
Valued Contributor

Re: OpenVMS SSH Login Issues and Passwords

Auditing was enabled.

I get audit entries where it updates her UAF record with SYSUAFRECMOD (I guess to update her login failure count). Closely coupled to that, based on time stamps, is "NETLOGFAI" with sub-error "NOTVALID" error and after a few tries, "NETBREDET" with sub-error "EVADE."

In either case, the time stamps show the SYSUAF update and the login failure to be at the same time of day to the second.

Thing is, when I clear the evasion database, that doesn't seem to be enough. My problem is that everything looks exactly right for it to be fat-fingering - except that it happened to ME. So I switched from touch-type to hunt-n-peck mode to be flat-out sure I got it right. With intrusion database emptied, still no joy. Until an hour later it let me in again - WITHOUT my password being changed from when it failed.

I am wondering if emptying out the intrusion database with $ DELETE/INTRUSION * isn't enough to make the system let people back in.

Sr. Systems Janitor
Craig A
Valued Contributor

Re: OpenVMS SSH Login Issues and Passwords

Richard

Can you post an example audit record please.

Craig
Richard W Hunt
Valued Contributor

Re: OpenVMS SSH Login Issues and Passwords

OK, here's a couple of examples. I have to obscure the username and some other things for DoD regs, but this might be helpful.

A sample of the UAF update (of login failures)

Security alarm (SECURITY) and security audit (SECURITY) on RHSC05, system id: 20492
Auditable event: System UAF record modification
Event time: 23-MAR-2009 15:10:46.97
PID: 00000477
Process name: TCPIP$SSH_BG594
Username: TCPIP$SSH
Process owner: [TCPIP$AUX,TCPIP$SSH]
Image name: $1$DGA1:[SYS0.SYSCOMMON.][SYSEXE]TCPIP$SSH_SSHD2.EXE
Object class name: FILE
Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;6
User record: {obscured}
Flags: New: DISCTLY,DEFCLI,DISRECONNECT,PWDMIX
Original: DISCTLY,DEFCLI,DISRECONNECT,PWDMIX
Login failures: New: 1
Original: 0
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)

A sample of the "password not valid" followed by an evasion record.

Security alarm (SECURITY) and security audit (SECURITY) on RHSC05, system id: 20492
Auditable event: Network breakin detection
Event time: 27-MAR-2009 08:29:16.47
PID: 00001145
Process name: TCPIP$SS_BG8846
Username: {obscured}
Password:
Remote node fullname: SSH_PASSWORD:10.29.12.56
Remote username: {obscured}(LOCAL)
Status: %LOGIN-F-NOTVALID, user authorization failure

Security alarm (SECURITY) and security audit (SECURITY) on RHSC05, system id: 20492
Auditable event: Network breakin detection
Event time: 27-MAR-2009 08:29:26.25
PID: 00001145
Process name: TCPIP$SS_BG8846
Username: {obscured}
Password:
Remote node fullname: SSH_PASSWORD:10.29.12.56
Remote username: {obscured} (LOCAL)
Status: %LOGIN-F-EVADE, break-in evasion in effect

NOTE that the password is listed as in the latter entry. I.e. she DIDN'T fat-finger the password. It was being evasive.
Sr. Systems Janitor
MarkOfAus
Valued Contributor

Re: OpenVMS SSH Login Issues and Passwords

Richard,

You say they are identically configured, are you referring to SSH? Is there a difference in the config file SSH2_CONFIG. on each server?

What about when the service locks up? What is "tcpip show service ssh /full" saying?

Does "netstat -an" or other derivative give you any clues when it "locks up"? CLOSE_WAIT state perhaps?

Are the sysconfig settings the same on both hosts: "tcpip sysconfig -q net"?


Regards
Mark
Richard W Hunt
Valued Contributor

Re: OpenVMS SSH Login Issues and Passwords

Mark:

"You say they are identically configured, are you referring to SSH? Is there a difference in the config file SSH2_CONFIG. on each server?"

Yes to 1st, slight differences to 2nd. The SSHD2_CONFIG files are the same except that the host key names are different. This is not a cluster so they don't share a common key. The server's SSH2_CONFIG file isn't in play because this is a Non-VMS SSH client. The client configs are Windows workstation-related and are identical except for node name to which the user connects. I've gone over the Reflections configuration until I'm blue in the face. (Good thing blue is one of my good colors.)

"What about when the service locks up? What is "tcpip show service ssh /full" saying?"

The same on both servers, whatever it is.

"Does "netstat -an" or other derivative give you any clues when it "locks up"? CLOSE_WAIT state perhaps?"

Have to admit I hadn't tried that one. I'll add it to my list for the next time this happens.

"Are the sysconfig settings the same on both hosts: "tcpip sysconfig -q net"?"

Other than a difference in the usage levels as reflected by the ovms_unit_count and ovms_unit_creates, they are the same. Also a difference in ovms_unit_seed, but I'm not sure what that is and whether being different makes a difference for this problem. The arp??? stuff is the same. The unit limit, min, max, and fast_credel are the same. The lo_def_ip_mtu is the same. The ifqmaxlen is the same.

Sr. Systems Janitor
david mason_3
Occasional Visitor

Re: OpenVMS SSH Login Issues and Passwords


We have had a similar problem using SSH from Linux to VMS.
User failed at logon.
We changed password via SET PASS and he could log in.
Changed password via AUTHORIZE MOD USER /PASS=... and he couldn't.

No idea why this is so. Yet !

DBM
Joseph Huber_1
Honored Contributor

Re: OpenVMS SSH Login Issues and Passwords

I don't know if the problem is solved by TCPIP services 5.6, but SSH had/has problems handling expired passwords.
If a password is set by AUTHORIZE, then it is set to /PWDEXPIRED by default.
Do AUTHORIZE modify user/passw=pass /NOPWDEXP the next time.
http://www.mpp.mpg.de/~huber
Joseph Huber_1
Honored Contributor

Re: OpenVMS SSH Login Issues and Passwords

And see also:

http://h71000.www7.hp.com/wizard/wiz_9880.html
http://www.mpp.mpg.de/~huber
Richard W Hunt
Valued Contributor

Re: OpenVMS SSH Login Issues and Passwords

This might be a bizarre interaction due to the size of the password, though I didn't think that should have made a difference.

I used to tell my users that they could have longer passwords if they wanted. Some of them take the approach of using a phrase as their password. Before we switched away from TELNET to SSH, the user complaining most often was using a phrase requiring 20 characters. She was reporting this issue all the time. Eventually, she came to the conclusion that she couldn't type. (No, that isn't the whole story - because remember that it happened to me, too.) So she shortened her password to 14 characters. Seems to be happening less.

I wonder if, because Reflection is running on a Windows box, it is limiting the size of the passwords to 14 characters? It doesn't seem to do that for me because my passwords are also short phrases that might go over 14 characters now and then. But I don't know if I tested all possible situations. I have to admit being somewhat of a rookie with managing SSH as compared to other types of OpenVMS security management.

One factor I discovered was that I had to allow for authentication method kbd-interactive (or however it is spelled in that particular parameter). Because for reasons unknown, Reflection wants to be part of the process when you have an expired password at login time. Which you will have if I had just reset your password. Instead of the standard OpenVMS Old Password:, New Password:, etc., a WINDOWS dialog box pops up with the equivalent request. But I cannot tell whether that is a contributor or just an innocent bystander in this mess.
Sr. Systems Janitor