HPE Community
Operating System - HP-UX
1833105 Members
3228 Online
110051 Solutions
New Discussion

OpenSSH and TCB

 
Karen Shen_1
Occasional Advisor

‎07-07-2003 10:09 AM

‎07-07-2003 10:09 AM

OpenSSH and TCB

On hpux 11.00 server with TCB enabled and openssh 2.5.1p1 installed, users will be forced to change password as set up when they login using telnet. But this is skipped/by-passed when they use SSH.

Any idea why and how to prevent it?

Thanks!

Karen
0 Kudos
Reply
5 REPLIES 5
Andrew Cowan
Honored Contributor

‎07-07-2003 09:49 PM

‎07-07-2003 09:49 PM

Re: OpenSSH and TCB

Hi Karen,

Unfortunately this is the same situation on all Unix platforms as SSH is written to be as generic and portable as possible. In order to generic the authors could not easily tie SSH into each OS's password ageing system.

You also have the same situation if you use keys to login, and there's nothing to stop you choosing a passphrase of /Nothing, and there is no history management or timeout.

The only solution I can offer is to only allow users to SSH to other unprivileged users, and then "su". You can then enforce the password ageing on those accounts, and you also have a record of who used them, and when.

Andrew
0 Kudos
Reply
John Bolene
Honored Contributor

‎07-08-2003 05:53 AM

‎07-08-2003 05:53 AM

Re: OpenSSH and TCB

just hit submit once and wait

for some reason it comes back almost immediately but it is not done
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
0 Kudos
Reply
D. Jackson_1
Honored Contributor

‎07-08-2003 01:50 PM

‎07-08-2003 01:50 PM

Re: OpenSSH and TCB

I think this has been added as a "feature" in the latest openssh release..

GooD LUck
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎07-08-2003 08:54 PM

‎07-08-2003 08:54 PM

Re: OpenSSH and TCB

Hi John,

Thanks for sorting out my duplicate posts. Sometimes when I press submit I can wait for 20 minutes and then get a "page not found" error, and perhaps nothing is posted. Here at the bank we have an E3 connection so it should (and 90% of the time does) happen pretty-much instantly, however every now and again it seems to go pear-shaped.
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-11-2003 06:54 PM

‎07-11-2003 06:54 PM

Re: OpenSSH and TCB

Hi,

Your version of openssh is extremely old. You should upgrade it to the latest which fixes quite a number of security issues since openssh 2.5.1p1.

As for your question, offhand, I believe you can workaround this limitation by writing scripts to interface your system login scripts with /tcb files. With a combination of trap signals used in your script, you should be able to enforce password changes.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.