Operating System - HP-UX
1833876 Members
1912 Online
110063 Solutions
New Discussion

Re: adnormal behaviour of ssh

 
yc_2
Regular Advisor

adnormal behaviour of ssh

Hi,

I installed ssh in one of my N-class server running HP-UX 11.00 with the following in sshd_config file:
:
#PermitRootLogin yes
PermitRootLogin no
:

Correct me if I'm wrong that root can not login directly? But the fact is reverse.

How to overcome this problem?

PS: Other server with the following UX version has no problem:
(1) K380 (11.00)
(2) 2nd N-class (11.11)
7 REPLIES 7
Jdamian
Respected Contributor

Re: adnormal behaviour of ssh

Did you restart the sshd daemon ?
yc_2
Regular Advisor

Re: adnormal behaviour of ssh

Yes, I restarted it.
yc_2
Regular Advisor

Re: adnormal behaviour of ssh

I intend to reinstall the ssh software.

With the command /sbin/init.d/secsh stop, the daemon did not stopped though the command prompt return sshd was stopped .

I used kill -9 to the sshd process and I started it again to see whether I can use /sbin/init.d/secsh stop method to stop the daemon.

Before I run the stop command after the daemon started, I tried out the ssh client to connect using root account. This time it failed.

Very weird, is there a bug? I downloaded from www.software.hp.com, A.03.91.002 HP-UX Secure Shell.

Bill Hassell
Honored Contributor

Re: adnormal behaviour of ssh

Do you have another copy of ssh from another source? Check on how many ssh processes are running: ps -ef | grep ssh. Check your syslog for ssh errors: grep -i ssh /var/adm/syslog/syslog.log - You may see some open port problems if there is another sshd (sshd2 maybe).

Look also in /sbin/init.d for *ssh* file (should be only one) and also in /sbin/rc:

find /sbin -type f | grep -e ssh -e secsh

There should not be and ssh files in /sbin, only secsh.

Make sure that /var/run/sshd.pid has a valid PID for the sshd process, then try killing it by hand. If that works, use the secsh script to start it again (/sbin/init.d/secsh start). The trace the script:

sh -x /sbin/init.d/secsh stop


Bill Hassell, sysadmin
Bob_Vance
Esteemed Contributor

Re: adnormal behaviour of ssh

Yes

PermitRootLogin no

prevents root from logging in.
I think I read that you were finally able to verify that.

The stop scripts aren't always perfect. They are intended to be able to stop the daemon in a fairly well-known and well-behaved state.
I've seen many "bugs" in the start/stop scripts over the years, but it's always easy to catch a problem when it actually happens rather than in the development stage;>) Processes can hang up and be unkillable, pid files (if used by the particular start/stop subsystem) can be missing or have wrong values in them -- in short, various and sundry things can go wrong.

In general, a simple /init.d/xxx start followed by a /init.d/xxx stop will almost always work.

In this case, the /init.d/secsh is doing a very meager job of really trying to kill sshd:

kill `cat $WHAT_PID`

.
So, if the PID file didn't exist, or had wrong value, it wouldn't work.
In the past these scripts usually tried to do a 'ps' to determine if the relevant daemon was running and then kill it.

Also, if the 'kill' didn't work, the stop also wouldn't be complete. IMHO, it probably should try a 'kill -9' if the plain 'kill' didn't work


hth
bv
"The lyf so short, the craft so long to lerne." - Chaucer
Wai Kiong Choy
Advisor

Re: adnormal behaviour of ssh

I don't think the Secure Shell package from HP is treating the PermitRootLogin keyword as expected. I am running SecureShell 3.9p1 downloaded from HP software site and I can still login as root even with PermitRootLogin set to "no". Nothing I do can disable direct root login.

I finally compiled OpenSSH on HP-UX 11.00 and it is working as expected.
Wai Kiong Choy
Advisor

Re: adnormal behaviour of ssh

Corrections to my ealier posting.

I want to only allow RSA keys authentication for direct root login. The documented way to do this is set the following 3 keywords:

PermitRootLogin without-password
RSAAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

By doing the above, sshd should only allow root login using RSA key authentication. You cannot login as root using password authentication. I failed to get this working on the HP Secure Shell.

I then compiled OpenSSH and it works as expected.