HPE Community
Operating System - HP-UX
1826466 Members
2439 Online
109692 Solutions
New Discussion

Re: help connection openssh

 
Jairo Campana
Trusted Contributor

‎05-04-2004 08:27 AM

‎05-04-2004 08:27 AM

help connection openssh

hello , I installed my openssh_3.7.1p2
when connect a user
obtaing acces_denied
login as: test
password:
Access denied

the syslog :
May 4 17:04:25 whdux1 sshd[4784]: Failed password for illegal user test from 172.31.195.241 port 3723
May 4 17:14:17 whdux1 above message repeats 2 times
May 4 17:14:17 whdux1 sshd[4933]: User test not allowed because account is locked
May 4 17:14:17 whdux1 sshd[4933]: Failed none for illegal user test from 172.31.195.241 port 3771
May 4 17:14:22 whdux1 sshd[4933]: Failed password for illegal user test from 172.31.195.241 port 3771

after run command /usr/lbin/modprpw -k test
reset to passwd test

run /usr/local/sbin/sshd -v in mode debug

whdux1 # /usr/local/sbin/sshd -d
debug1: sshd version OpenSSH_3.7.1p2
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 24 on 0.0.0.0.
Server listening on 0.0.0.0 port 24.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 172.31.195.241 port 3774
debug1: Client protocol version 1.5; client software version PuTTY
debug1: no match: PuTTY
debug1: Local version string SSH-1.99-OpenSSH_3.7.1p2
debug1: permanently_set_uid: 103/101
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: 3des
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
User test not allowed because account is locked
debug1: do_authentication: illegal user test
debug1: Attempting authentication for illegal user test.
Failed none for illegal user test from 172.31.195.241 port 3774
Failed password for illegal user test from 172.31.195.241 port 3774
Failed password for illegal user test from 172.31.195.241 port 3774
Failed password for illegal user test from 172.31.195.241 port 3774
Failed password for illegal user test from 172.31.195.241 port 3774

I probe with telnet, and it works
in telnet whe execute pwd obtaing:
$ pwd
sh: : Cannot access parent directories.
$grep test /etc/passwd
$test:*:108:20::/home/test:/sbin/sh

$grep sshd /etc/passwd
sshd:*:103:101:sshd privsep:/usr/local/var/empty:/bin/false

as it can be the problem

thanks






legionx
0 Kudos
Reply
10 REPLIES 10
Gary L. Paveza, Jr.
Trusted Contributor

‎05-04-2004 08:36 AM

‎05-04-2004 08:36 AM

Re: help connection openssh

The log indicates that the user account test is locked. Try the following:

passwd -d test

Then try your ssh connection again.
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎05-04-2004 08:44 AM

‎05-04-2004 08:44 AM

Re: help connection openssh

Hi Jairo,

I agree with Gary - acct is locked not disabled & the passwd -d username will unlock it BUT it will also allow it to have NO PW - so also run passwd -f username on the acct to force a PW change. You never want null PW accts on any system

My 2 cents,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Jairo Campana
Trusted Contributor

‎05-04-2004 08:44 AM

‎05-04-2004 08:44 AM

Re: help connection openssh

my post it says unlock
after run command /usr/lbin/modprpw -k test
reset to passwd test

passwd -d /test

option -d -d Allow user to login without a password by deleting it.

in mode truste system no its permit
whdux1 # passwd -d test
You are not allowed to have a null password.


legionx
0 Kudos
Reply
G. Vrijhoeven
Honored Contributor

‎05-04-2004 08:45 AM

‎05-04-2004 08:45 AM

Re: help connection openssh

Hi Jario,

Might be s stupid comment but:
Did you configure a trusted system, or did you just put a * in the passwd for security reasons. If not the * disables an account on HPUX. And can explain the error you are getting.

HTH,

Gideon



0 Kudos
Reply
generic_1
Respected Contributor

‎05-04-2004 08:45 AM - last edited on ‎09-16-2024 02:22 AM by

‎05-04-2004 08:45 AM - last edited on ‎09-16-2024 02:22 AM by

Re: help connection openssh

Run a /usr/lbin/getprpw username and look over the output. Even though you did a modprpw -k I have seen instances where say you created a test account but never set a password on a trusted system and the account is still locked because of a no null password rule or that the account has expired past its time limit.
0 Kudos
Reply
Jairo Campana
Trusted Contributor

‎05-05-2004 08:50 AM

‎05-05-2004 08:50 AM

Re: help connection openssh

G. Vrijhoeven , no no is stupid I delete the * in /etc/passwd

test::108:20::/home/test:/sbin/sh
and it works
after change password
passwd test

and it works , connect to server using openssh
my questions is :
I must do this with all the users
legionx
0 Kudos
Reply
Denver Osborn
Honored Contributor

‎05-05-2004 03:23 PM

‎05-05-2004 03:23 PM

Re: help connection openssh

How are you adding the users to the system? Is it all scripted?

If by any chance you're adding them directly to /etc/passwd then running pwconv, it will leave the prpwd entry with *... making the account locked out. Once a password is generated for the user (manually w/ passwd username), the account would become enabled.

-denver
0 Kudos
Reply
Jairo Campana
Trusted Contributor

‎05-06-2004 06:08 AM

‎05-06-2004 06:08 AM

Re: help connection openssh

the user create with username

username -d /home/test -s /sbin/bash test

the problem is with UsePrivilegeSeparation of openssh in sshd_config

legionx
0 Kudos
Reply
Jairo Campana
Trusted Contributor

‎05-07-2004 12:28 AM

‎05-07-2004 12:28 AM

Re: help connection openssh

solved my problem , installe ssh secure HPUX

Privilege separation, or privsep, is method in OpenSSH by which
operations that require root privilege are performed by a separate
privileged monitor process. Its purpose is to prevent privilege
escalation by containing corruption to an unprivileged process.
More information is available at:
6: http://www.citi.umich.edu/u/provos/ssh/privsep.html

the problem is with Privilege separation of openssh :
http://www.chiark.greenend.org.uk/ucgi/~cjwatson/cvsweb/openssh/README.privsep?annotate=1.1.1.4

Privsep requires operating system support for file descriptor passing.
Compression will be disabled on systems without a working mmap MAP_ANON.PAMM-enabled OpenSSH is known to function with privsep on Linux.
It does not function on HP-UX with a trusted system


legionx
0 Kudos
Reply
Denver Osborn
Honored Contributor

‎05-07-2004 12:48 AM

‎05-07-2004 12:48 AM

Re: help connection openssh

Thanks! You also solved one of my problems by posting that info! I compiled openssh from source using a patch that adds RSA SecurID support... long story short.. I though the logname cmd was broke but it turns out that UsePrivSeperation was on by default and it caused logname to fail. Turning it off in sshd_config solved my problem. Woo-hoo!

thanks Jairo, I owe you 10pts

-denver
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.