HPE Community
Operating System - HP-UX
1752800 Members
5636 Online
108789 Solutions
New Discussion юеВ

SSH on 11i

 
Deborah Weatherspoon
Frequent Advisor

тАО06-03-2002 08:34 AM

тАО06-03-2002 08:34 AM

SSH on 11i

We have installed secure shell (ssh) on a trusted 11i system. However, the users are not required to change their password?. But, if they telnet into the system, the aging process works and request them to change they password. It seems as though ssh works like a secure console.

Does anyone have a solution for making the aging process work using ssh. The ssh version is 3.0.

Thanks in advance
0 Kudos
Reply
7 REPLIES 7
Michael Tully
Honored Contributor

тАО06-03-2002 10:58 PM

тАО06-03-2002 10:58 PM

Re: SSH on 11i

Hi,

I think your answer lies here, courtesy of Craig Rants.

HTH
Michael

ssh needs to be compiled with the pam option to work with password aging i.e...

- Compile openssh
cd /tmp
gzip -d < openssh-3.1p1.tar.gz | tar xvf -
cd openssh-3.1p1
(11 version)
./configure --prefix=/opt/openssh2 --sysconfdir=/opt/openssh2/etc --with-pam
--with-ssl-dir=/usr/local/openssl/lib --with-default-path=/bin:/usr/bin:/opt/openssh2/bin
(10 version)
./configure --prefix=/opt/openssh2 --sysconfdir=/opt/openssh2/etc
--with-ssl-dir=/usr/local/ssl/lib --with-default-path=/bin:/usr/bin:/opt/openssh2/bin
make
make install
Anyone for a Mutiny ?
0 Kudos
Reply
Thomas D. Harrison
Frequent Advisor

тАО06-06-2002 07:07 AM

тАО06-06-2002 07:07 AM

Re: SSH on 11i

I've had the same trouble and I think I'll try Michael's solution ( Courtesy of Craig Rants of course ).

To catch the expired passwords I wrote a script that at least notified me of the expired passwords, inactive accounts, etc...

It's actually a pretty nice script to run even with this issue resolved by recompiling SSH.

It will require minor modifications and please excuse the lack of finesse; I hadn't taken a scripting class yet.
Imbibo ergo sum.
0 Kudos
Reply
Deborah Weatherspoon
Frequent Advisor

тАО06-13-2002 12:52 PM

тАО06-13-2002 12:52 PM

Re: SSH on 11i

Sorry, but I'm back.

When I re-compiled ssh, I received the following error message. "configure: error: configuring with X but xauth not found - aborting.

I was wondering if Thomas Harrison was able to get it working.

I also see that HP has an CD that was dated June 6.
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО06-13-2002 01:52 PM

тАО06-13-2002 01:52 PM

Re: SSH on 11i

Hi,

If you are running the same release of SSH I am thinking, you can run ./configure with the following option to disable X11 Forwarding/Tunnelling over SSH if you do not need it:

# ./configure --without-x

If you need X11 Forwarding, then you will need xauth binary to be present in your system, specify the correct full pathname to it or set the PATH correctly.

A common xauth path:

# /usr/bin/X11/xauth

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Keith Buck
Respected Contributor

тАО06-14-2002 08:01 AM

тАО06-14-2002 08:01 AM

Re: SSH on 11i

HP has released a supported version of openssh that has been tested by HP and works correctly with a trusted environment (including asking the user to change their password). This is for HP-UX 11.0 and 11i. You can get it from software depot at:

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

It's based off of openssh 3.1p1, and requires no compile flags, because HP packaged it for you :)
0 Kudos
Reply
Bryan Payne
Occasional Advisor

тАО07-07-2002 09:44 PM

тАО07-07-2002 09:44 PM

Re: SSH on 11i

Has HP a supported openssh based on 3.4 version... since the current supported version has been deemed insecure? I am attempting to compile from source, but I keep getting the following:
configure:8221: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) ***

The log file doesn't help me much as I'm not a programmer, or an old hand at compiling source.

I do have current versions of openssl on the system and have provided the path in the compile options.

I checked a few sites, and a few mentioned that openssl needed to be static, and not dymanically linked... another mentioned that it had to do with 32/64 bit.

I checked the hpux archive at http://hpux.cs.utah.edu , and no one has an sw package for a newer version either. Anyone having the same problem, or have any ideas?

I've attached the log file if anyone can lead me in the right direction.
0 Kudos
Reply
Keith Buck
Respected Contributor

тАО07-11-2002 09:37 AM

тАО07-11-2002 09:37 AM

Re: SSH on 11i

See security bulletin 195.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.