- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- sshd+pam kerberos+winbind
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-17-2009 06:08 AM
тАО05-17-2009 06:08 AM
sshd+pam kerberos+winbind
I have 2 server.
1. HPUX 11.31
2. HPUX 11.23
On 1. all working perfect
On 2. kinit, wbinfo, id working correctly
And i CAN login with AD user through login, but CAN NOT login through ssh
In log:
"May 17 19:42:57 dbbzks1 sshd[5579]: Invalid user evkogan from 10.24.1.37
May 17 19:42:57 dbbzks1 sshd[5579]: Failed none for invalid user evkogan from 10.24.1.37 port 3608 ssh2
May 17 19:43:01 dbbzks1 sshd[5579]: [Authentication failed] Password not valid
"
In pam.conf
"# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_krb5.so.1
login auth required libpam_unix.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth sufficient libpam_krb5.so.1
sshd auth required libpam_unix.so.1 try_first_pass
# Account management
#
login account required libpam_hpsec.so.1
login account required libpam_authz.so.1
login account sufficient libpam_krb5.so.1
login account required libpam_unix.so.1
sshd account required libpam_hpsec.so.1
sshd account required libpam_authz.so.1
sshd account sufficient libpam_krb5.so.1
sshd account required libpam_unix.so.1
# Session management
#
login session required libpam_hpsec.so.1
login session sufficient libpam_krb5.so.1
login session required libpam_unix.so.1
sshd session required libpam_hpsec.so.1
sshd session required libpam_mkdir.1 skel=/etc/skel/ umask=0077
sshd session sufficient libpam_krb5.so.1
sshd session required libpam_unix.so.1
# Password management
#
login password required libpam_hpsec.so.1
login password sufficient libpam_krb5.so.1
login password required libpam_unix.so.1
sshd password required libpam_hpsec.so.1
sshd password sufficient libpam_krb5.so.1
sshd password required libpam_unix.so.1
"
I have not user evkogan in passwd
Any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-17-2009 06:24 AM
тАО05-17-2009 06:24 AM
Re: sshd+pam kerberos+winbind
SSH/Secure shell as compiled by HP can not login without a password integrated as part of an ADS domain.
A special compile of openssh would be required to do that job. I got that information a year ago from an expert on sign on integration we asked to consult on this issue.
So no amount of pam configuration is going to create ssh authentication via the ADS domain controller.
So for ssh to work, you need the user evkogan in a passwd file somewhere in the domain.
You can put it into the ADS server with the Windows Unix tool kit and them be prompted for a password at login. There are special integration steps needed to be done on the windows ADS server for this to work and its unclear if this has been done.
Also should be noted that the Windows ADS controller must be Windows Server 2003 release two, not the initial release of Windows Server 2003. Windows Server 2000 probably will work but is pretty much out of date.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-18-2009 08:22 AM
тАО05-18-2009 08:22 AM
Re: sshd+pam kerberos+winbind
http://www.docs.hp.com/en/15650/CIFSUnifiedLogin.pdf
On Page 45 I show an SSH config for HP-UX that uses AD as the user store. My config works fine, but UL specifically does not run winbind and I do not config authz in pam.conf.
You can check it out and see if it is applicable to your config.
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-18-2009 07:05 PM
тАО05-18-2009 07:05 PM
Re: sshd+pam kerberos+winbind
I try new version A.05.10.047 and now can't start sshd with error
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1331600
Where can i download previos worked version?
This bug only on 11.31?
Can i install A.05.10.046 on 11.23?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-18-2009 09:19 PM
тАО05-18-2009 09:19 PM
Re: sshd+pam kerberos+winbind
I used your whitepaper in the work.
Thanks, it realy helped me.
But I used winbind in nsswitch.conf
And there is no need in creating user in AD for ldapux
It worked correctly on 11.31
On 11.23 for SSH, as wrote Steven E. Protter, it is necessary to create local equal account (maybe with another password).
SSH version
11.23 A.04.50.010
11.31 A.04.50.011
I hoped that ├Р┬░ new version will solve the problem, but ran into ├Р┬░ new problem with A.05.10.047 on my test HPUX 11.31
What version SSH did you use?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-20-2009 08:17 AM
тАО05-20-2009 08:17 AM
Re: sshd+pam kerberos+winbind
/usr/sbin/sshd:
$HP-UX Secure Shell: sshd.c,vA.05.10.007 ,TCP Wrappers: v7.6-ipv6.4, Zlib: v1.2.3 2008/08/2
1 $
$HP-UX Secure Shell: sftp-server.c,vA.05.10.007 ,TCP Wrappers: v7.6-ipv6.4, Zlib: v1.2.3 20
08/08/21 $
$OpenSSL A.00.09.07m.003 $
On page 45 I show the version as A.05.10.007. All of my examples in the paper are on 11.23. My config does not require duplicate users in /etc/passwd, but I am not using winbind.
Are you using your own Samba compiled with pam_winbind? CIFS Server is not compiled with pam_winbind, so if you are trying to use it for HP-UX logins it will not work.
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-20-2009 10:09 PM
тАО05-20-2009 10:09 PM
Re: sshd+pam kerberos+winbind
I use winbind in nsswitch.conf and libpam_krb5 in pam.conf
Now i installed openssh.5.2p1 from http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-5.2p1/
It worked, but don't support kerberos in sshd.
It isn't critical, pam through kerberos worked.
Can you publish depot A.05.10.007 for 11.23. and 11.31 and get me link?
Last supported by HP version have bug http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1242803512372+28353475&threadId=1331600
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-22-2009 01:58 PM
тАО05-22-2009 01:58 PM
Re: sshd+pam kerberos+winbind
These versions are newer than the one that I used.
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-24-2009 07:21 PM
тАО05-24-2009 07:21 PM
Re: sshd+pam kerberos+winbind
On HPUX 11.23 i can't test.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-14-2009 03:11 AM
тАО06-14-2009 03:11 AM
Re: sshd+pam kerberos+winbind
HPUX 11.23 IA work correctly with old version sshd
HPUX 11.23 PA need local account with sshd 11.23 A.04.50.010
I installed openssh for resolve this problem