HPE Community
Operating System - HP-UX
1752520 Members
4737 Online
108788 Solutions
New Discussion юеВ

HPUX Single Sign On

 
Phil Daws_2
Regular Advisor

тАО08-12-2002 06:09 AM

тАО08-12-2002 06:09 AM

HPUX Single Sign On

Our number of HPUX servers are increasing and we now require a way of implementing signon. My search path so far has taken me to NIS+ and LDAP. At the same time we would like to increase our level of security and run SSH/SCP instead of TELNET/FTP. What products are people using to achieve this?
0 Kudos
Reply
11 REPLIES 11
Uday_S_Ankolekar
Honored Contributor

тАО08-12-2002 06:18 AM

тАО08-12-2002 06:18 AM

Re: HPUX Single Sign On

Hello,

download openssh for ssh/scp from Hp's proting centre.

You may also have to install openssl and zlib inorder to install openssh.

Here is the thread..
http://hpux.cs.utah.edu/hppd/

and look for openssh

-Goodluck
-USA..
Good Luck..
0 Kudos
Reply
Phil Daws_2
Regular Advisor

тАО08-12-2002 06:35 AM

тАО08-12-2002 06:35 AM

Re: HPUX Single Sign On

I have compile OpenSSH from source but still need to sort out the single sign on. I am trying to find out whether OpenSSH supports X509/LDAP.
0 Kudos
Reply
Phil Daws_2
Regular Advisor

тАО08-12-2002 07:22 AM

тАО08-12-2002 07:22 AM

Re: HPUX Single Sign On

Okay a little bit further now. I have compiled using the following options :

./configure --prefix=/opt/openssh --with-zlib=/opt/openssh/zlib --with-ssl-dir=/opt/openssh/openssl --with-pam

but it then throws up the message :

checking for pam_set_item in -lpam... no
configure: error: *** libpam missing

I have read that full PAM support will not be in HPUX until 11.23 (see URL) :

http://www-unix.globus.org/mail_archive/gsi-openssh/2002/02/msg00016.html

Would somebody from HP like to comment on how I can compile it with PAM support?

Thanks
0 Kudos
Reply
Andrew Cowan
Honored Contributor

тАО08-12-2002 10:20 PM

тАО08-12-2002 10:20 PM

Re: HPUX Single Sign On

Hi Phil,

Sounds like you have a couple of different problems. Pam certainly works with HP-UX, I have compiled SSH with the following:

./configure ???prefix=/opt/openssh- ???sysconfdir=/etc/opt/openssh ???with-pam ???disable-suid-ssh ???with-ssl-dir=/opt/openssl- ???with-zlib=/opt/zlib- --libexecdir=/usr/lib --mandir=/usr/share/man --with-xauth=/usr/bin/X11/xauth --with-rsh=/usr/bin/rsh --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-ipv4-default --with-chroot --without-scard --with-md5-passwords

and it works on both trusted, an non-trusted 11.0 systems.

I would first try downloading the latest versions of Zlib and OpenSSH from the web and try to compile it again. If this still fails I'd start looking at your Pam software.

As for raising security neither NIS or LDAP will do this. If you want a "secure" single-sign-on I would suggest DCE as a better bet. The problem with all central directory services is that introduce dependance upon a central server, and there is always the risk that when it is down, you'll have login problems.

Another method is "password synchronisation" which can be acheived using products such as BMC's Control-SA or Pentasafe etc. These solutions are not cheap but have the added convenience of vendor support.

Good luck!
0 Kudos
Reply
Phil Daws_2
Regular Advisor

тАО08-13-2002 12:57 AM

тАО08-13-2002 12:57 AM

Re: HPUX Single Sign On

 
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО08-13-2002 03:16 AM

тАО08-13-2002 03:16 AM

Re: HPUX Single Sign On

Rather than trying to sort out all the compile/make issues, why don't you download HP's version of SSH from software.hp.com? (specifically: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA) It is packaged in SD format so you simply run swinstall. And that's it. Default setup allows you to immediately connect using tools like Putty and F-secure (you'll want to change the automatic key generation for production usage. SSH can replace the functionality of remsh, rcp and rlogin with encrypted data transfers and trust relationships that don't depend on DNS.

I haven't seen LDAP integrated into SSH yet. Be careful about single sign-on when PCs are involved. Unix boxes require 8 characters or less for a login name--no safe way to change this.


Bill Hassell, sysadmin
0 Kudos
Reply
Phil Daws_2
Regular Advisor

тАО08-13-2002 03:24 AM

тАО08-13-2002 03:24 AM

Re: HPUX Single Sign On

One reason Bill is that I have the choice of where I install the software. Also, if there is a security alert I can recompile and distribute potentially before HP release a new version. Perhaps you could supply the compile options and library versions that were used to compile HP Secure Shell. Are you using non-standard binaries? What version of /usr/lib/libpam.1 was it compiled with?
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО08-13-2002 04:44 AM

тАО08-13-2002 04:44 AM

Re: HPUX Single Sign On

No ideas about how the HP version was created. I would suggest getting the latest authentication patches for PAM. For 11.0: PHCO_25527 and PHCO_25590, for 11i: PHCO_24839 and PHCO_25526. Since they are PHCO patches, they won't require a reboot.


Bill Hassell, sysadmin
0 Kudos
Reply
Phil Daws_2
Regular Advisor

тАО08-13-2002 05:07 AM

тАО08-13-2002 05:07 AM

Re: HPUX Single Sign On

These have already been applied Bill :(
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.