HPE Community
Operating System - HP-UX
1849134 Members
6369 Online
104041 Solutions
New Discussion

an ordinary user failed to telnet but able to be "su"

 
SOLVED
Go to solution
Shan_2
Advisor

‎03-21-2004 02:40 PM

‎03-21-2004 02:40 PM

an ordinary user failed to telnet but able to be "su"

An unix account which could telnet to the host (hp-ux 11i) 4 days ago. However, this unix account was found unable to telnet to the host this morning. "lastb" showed this user failed login attempt. But, another unix account could "su" to this unix account with the same password for "telnet".

Which files/settings I should check ?

Thanks,
Shan
0 Kudos
Reply
12 REPLIES 12
Mobeen_1
Esteemed Contributor

‎03-21-2004 02:53 PM

‎03-21-2004 02:53 PM

Re: an ordinary user failed to telnet but able to be "su"

Shan,
Try the following files

/etc/passwd
/etc/hosts.allow
/etc/security
/etc/shells

Let me know if you need any additional information.

rgds
Mobeen
0 Kudos
Reply
Karthik S S
Honored Contributor

‎03-21-2004 02:57 PM

‎03-21-2004 02:57 PM

Re: an ordinary user failed to telnet but able to be "su"

I think the account is locked. Check if the /etc/passwd has a "*" in the password field for the user. If yes remove the "*" and reset the password

-Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
0 Kudos
Reply
Shan_2
Advisor

‎03-21-2004 03:15 PM

‎03-21-2004 03:15 PM

Re: an ordinary user failed to telnet but able to be "su"

Thanks Mobeen and Karthik.

The /etc/passwd is normal and no "*" in password field, i.e., this user is not locked. And, this user is not expired as I have re-assigned the password to this account.

This account's shell also defined in /etc/shells.

And, we haven't defined /etc/hosts.allow & /etc/security.

Besides, I have just tried to use "ftp" to login this user, it is OK.

This unix account belongs to two groups. Could it be related to multiple groups ?

Thanks again to all!
Shan
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎03-21-2004 03:31 PM

‎03-21-2004 03:31 PM

Re: an ordinary user failed to telnet but able to be "su"

What error do you get when the user attempts to log in via telnet?
0 Kudos
Reply
Mobeen_1
Esteemed Contributor

‎03-21-2004 03:39 PM

‎03-21-2004 03:39 PM

Re: an ordinary user failed to telnet but able to be "su"

Shan,
In that case as our friend Patrick has requested, posting the exact message that you see when one tries to telnet will help.

Since you mentioned about 2 groups, can you confirm whether you are having problems with only users from one group telnetting into this box or is it that all the users are unable to telnet into this box.

rgds
Mobeen
0 Kudos
Reply
Shan_2
Advisor

‎03-21-2004 05:02 PM

‎03-21-2004 05:02 PM

Re: an ordinary user failed to telnet but able to be "su"

Thanks again Patrick & Mobeen.

The error was just "Login incorrect".


This unix account belongs to two groups. Other unix accounts of these two groups are able to telnet to this host. It seems that only this particular unix account unable to login via telnet. This account cannot login from console too (same "Login incorrect")!

0 Kudos
Reply
Shan_2
Advisor

‎03-21-2004 05:53 PM

‎03-21-2004 05:53 PM

Re: an ordinary user failed to telnet but able to be "su"

Dear all,

The problem identified. It was due to the special "password" character of this unix account.

This unix account enabled password aging. There is also a special character @ in the password.

BTW, this problem seems to be occurred just today (March 22).

Thanks all!
Shan
0 Kudos
Reply
Trond Haugen
Honored Contributor

‎03-21-2004 05:54 PM

‎03-21-2004 05:54 PM

Re: an ordinary user failed to telnet but able to be "su"

So this user has problems from the network (telnet) and on the console. This rules out networking security problems.
Further the user gets to enter login name and password and then gets "Login incorrect". But su to that user works. Belongine to more than one group is no problem.
Is that 'su user' or su - user'?
Have you tried changing the password of that user?
Does remsh work for that user?

Regards,
Trond
Regards,
Trond Haugen
LinkedIn
0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎03-21-2004 06:12 PM

‎03-21-2004 06:12 PM

Re: an ordinary user failed to telnet but able to be "su"

Couldn't it be "not a usual telnet" but
a link to something like "ssh"? (check with
'grep telnet /etc/inetd.conf" and ll /usr/lbin/telnetd).

Could it also be a specific host that telnet from there is locked? (check /var/adm/inetd.sec).Have you tried telnet'ing from somewhere else with that user.

I would also check with running "tusc -vfp " on telnetd pid if nothing else clears the issue.Like, you launch the telnetd manually (not waitin for inetd to start) and run tusc (get it from hpux.cs.utah.edu).

rgds

Zeev
So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
Shan_2
Advisor

‎03-21-2004 06:23 PM

‎03-21-2004 06:23 PM

Re: an ordinary user failed to telnet but able to be "su"

Thanks Trond & Zeev.

The /var/adm/inetd.sec did not deny such telnet. This account failed to login from several PCs.

The problem was due to the password of that unix account.

After changed the password to something without the special character (the at-sign @), the user is now able to telnet the host.

Thanks for all helping me!
Shan
0 Kudos
Reply
Ian Box
Advisor

‎03-21-2004 09:59 PM

‎03-21-2004 09:59 PM

Solution

Re: an ordinary user failed to telnet but able to be "su"

That's because '@' is the delete line character during login, just as '#' deletes the last character typed. This doesn't affect su because that runs under the shell and uses the erase and kill characters set by 'stty'.
Reply
Bill Hassell
Honored Contributor

‎03-22-2004 12:53 AM

‎03-22-2004 12:53 AM

Re: an ordinary user failed to telnet but able to be "su"

This is a very common problem. The default settings prior to login for serial and telnet connections is ERASE=# and KILL=@. These settings are based on the values used more than 3 decades ago when terminals were real tty's (Teletype hardcopy machines). While it is not recommended to include special characters (compatibility issues between opsystems), you can set new defaults for all tty connections using:

/sbin/stty erase "^H" kill "^U" intr "^C" eof "^D" -parity ixoff < /dev/ttyconf

This works on reasonably patched versions of 11.xx and higher and will make the backspace character work normally during login. The console will not see this change until the next reboot.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.