HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

ssh login works okay, but not telnet. Any ideas?

 
Bret Goodfellow_1
Occasional Advisor

ssh login works okay, but not telnet. Any ideas?

I have successfully set up SSH to force logins using Kerberos, and authenticate to our AD server. My problem is that I cannot use TELNET to connect to the same server. Below is what happens:

WARNING! AUTHORIZED USE PROHIBITED!

Login: con1
Password: *******
System Password: *******
Login: con1
Password: *******
System Password: *******
Login: con1
Password: *******
System Password: *******

Connection to host lost.

C:\users\con1

The /var/adm/syslog/syslog.log has the following entries:

serverX inetd[17176] telnet/tcp: Connection from serverX (10.x.x.x) at Wed May 18 13:26.24 2011
serverX login: [Key table entry not found] Unable to verify host ticket
serverX login: [Key table entry not found] can't verify v5 ticket: ; keytab found, assuming failure
serverX login: while verifying tgt [Unknown code _____255]
serverX login: [Authentication failed] Password not valid

Any thoughts, ideas????
12 REPLIES
Bret Goodfellow_1
Occasional Advisor

Re: ssh login works okay, but not telnet. Any ideas?

Let me clarify some of the above.

1) my host system is an HP-UX 11.31 system
2) clients can run SSH to the HP-UX system using AD authentication (Kerberos)
3) Clients cannot run telnet successfully to the same HP-UX system. Authentication fails.
vz7r1x
Regular Advisor

Re: ssh login works okay, but not telnet. Any ideas?

Hi!
Check /etc/inetd.conf & /etc/services files.

services file has port numbers assigned to the services / processes.

inetd.conf has port number assigned to the service.

Service or port# may be blocked in one of those files. you can uncomment it and run "inetd -c" to refresh it.

Thanks
Bret Goodfellow_1
Occasional Advisor

Re: ssh login works okay, but not telnet. Any ideas?

I checked both of those files, and the telnet statements were already in place. I'm showing the statements below:

/etc/inetd.conf

telnet stream tcp6 nowait root /usr/lbin/telnetd telnetd -b /etc/issue

/etc/services

telnet 23/tcp # Virtual Terminal Protocol

The Telnet sessions is starting (not being rejected). The problem is during authentication. The password is not accepted. See description at beginning of this thread.

Thanks.
Bret Goodfellow_1
Occasional Advisor

Re: ssh login works okay, but not telnet. Any ideas?

One other thing I should clarify is: root can login and authenticate without error using TELNET. No problems logging in with root. All other userids fail.
Mel Burslan
Honored Contributor

Re: ssh login works okay, but not telnet. Any ideas?

Not an expert on this but I bet your ssh login via AD authentication has something to do with PAM and the same mechanism, lacks telnet authentication. I don't know the mechanics of how to set this up but authentication via anything other than the local passwd/shadow file, requires using PAM (pluged authentication module) at some capacity. Of course, root is above all security measures on a normal UNIX system, so it does not get stuck because of this.

On a side note, instead of being worried be happy that you have the added benefit of preventing eternal users from using an unsecure protocol like telnet. This is my opinion but I am sure it is shared by many here.
________________________________
UNIX because I majored in cryptology...
Bret Goodfellow_1
Occasional Advisor

Re: ssh login works okay, but not telnet. Any ideas?

Yes, I am sure this is a PAM issue. I've spent quite a bit of time getting SSH to authenticate using Kerberos. Configuration of PAM is definitely required. For reasons I won't go into, my customer requires telnet. So, I'm sure there is a PAM issue with telnet, but not sure what?

Mel Burslan
Honored Contributor

Re: ssh login works okay, but not telnet. Any ideas?

Again, not a PAM expert or anything close to it but are you sure in your /etc/pam.conf file, the lines starting with login (which telnet uses to authenticate) are NOT commented out ?
________________________________
UNIX because I majored in cryptology...
Bret Goodfellow_1
Occasional Advisor

Re: ssh login works okay, but not telnet. Any ideas?

Yes, they are uncommented.
Mel Burslan
Honored Contributor

Re: ssh login works okay, but not telnet. Any ideas?

Okay, I think I found the document I had seen quite a while ago:

http://docstore.mik.ua/manuals/hp-ux/en/5992-3387/ch02s03.html

About 3/4 of the way down on this page, look for a title in BOLD letters, saying

"Examples: How PAM Works for Login"

It gives the importance of ordering the different login methods with if's and whys in the examples. Since you sound like, having a very decent UNIX admin background, I am sure, with the help of this document, you can figure it out or find out what you are missing (may be a shared object ?? *.so or link to it ??)

Good luck.
________________________________
UNIX because I majored in cryptology...
Manuel Urena
Advisor

Re: ssh login works okay, but not telnet. Any ideas?

Hi Bret,

I don't know if this has to do with this issue. Just in case. But I remember once that sometimes some special characters used in passwords with telnet can be a problem.

Check this link:

http://h30499.www3.hp.com/t5/Security/passwd-bugs-with-special-characters/m-p/5243441#M18584


Manuel

Bret Goodfellow_1
Occasional Advisor

Re: ssh login works okay, but not telnet. Any ideas?

I have resolved the problem.
Bob_Vance
Esteemed Contributor

Re: ssh login works okay, but not telnet. Any ideas?

Are you going to tell us how ???


bv
"The lyf so short, the craft so long to lerne." - Chaucer