HPE Community
Operating System - HP-UX
1832978 Members
2767 Online
110048 Solutions
New Discussion

Re: openssh problem logging in with locked account

 
Ken Penland_1
Trusted Contributor

‎01-14-2004 11:00 PM

‎01-14-2004 11:00 PM

openssh problem logging in with locked account

Hey all, I have just installed OpenSSH_3.6.1p2 using the depot provided from HP. I have set up public keys and can log in as myself just fine without having to type in a password. We have an admin account that goes from system to system gathering data and what not, but since this is not a user account, it has a password set to *....so according to the system, it is locked. Now, when we were using another version of ssh, as long as the keys were set up correctly, it still worked. With openssh, its a no-go unless I give adm a password, then it works fine. Is there a config change or something I can do so that the account can still be locked and yet it can still get in to do what it needs to do?

Thanks,

Ken
'
0 Kudos
Reply
11 REPLIES 11
Donny Jekels
Respected Contributor

‎01-15-2004 01:20 AM

‎01-15-2004 01:20 AM

Re: openssh problem logging in with locked account

Ken,


in the sshd_config file you must enable

UseLogin Yes

I had the same problem with our trusted systems, and this fixed it.

peace
Donny
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎01-15-2004 01:36 AM

‎01-15-2004 01:36 AM

Re: openssh problem logging in with locked account

almost forgot. you must compile your OpenSSH with PAM enabled to work with trusted systems

./configure --with-pam
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Ken Penland_1
Trusted Contributor

‎01-15-2004 02:45 AM

‎01-15-2004 02:45 AM

Re: openssh problem logging in with locked account

I didnt compile it, I just swinstalled the depot provided by HP:
T1471AA_A.03.61.002_HP-UX_B.11.00_32+64.depot

I switched UseLogin to yes, and couldnt restart the daemon...got the error message:

PRNG seed extration failed
ssh-rand-helper child produced insufficient data
'
0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎01-15-2004 02:51 AM

‎01-15-2004 02:51 AM

Re: openssh problem logging in with locked account

1) Strange but it should work for root as for any user while PermitRootLogin is set to yes (default).
2) (as far as remember) ssh uses 4 possible user authentication: public (PubKey enabled by default ,PasswordAuth. also enabled by default,
RhostsAuth (ssh1) , PamAuth (which can also go to password files). ssh uses Pam for passw authentication.

Basically to set Public Key authentication without passphrases you need
a)add the ssh server you're connecting to to ./autorized_hosts by simply doing 'ssh server'
b)setup with ssh-keygen public keys and distribute.

Please see attached (got it from ITRC btw).
So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
Ken Penland_1
Trusted Contributor

‎01-15-2004 03:00 AM

‎01-15-2004 03:00 AM

Re: openssh problem logging in with locked account

I got public keys to work, normal user accounts can log in without a password no problem, but if you lock the account down, by changing the encrypted password to "*" it no longer works. The old software package we used, F-secure SSH, I was still able to use the account to get into the system, but with OpenSSH, it looks like this is not the case.

basically, if I chage the encrypted password to anything but *, it works...I just threw in some random characters, and was able to connect:

ssh mysystem "ll /etc/passwd"
Authentication successful.
-r--r--r-- 1 root sys 1392 Jan 14 09:37 /etc/passwd

but when I change it back to a *, I get this:
ssh mysystem "ll /etc/passwd"
Authentication successful.
Disconnected; connection lost (Connection closed.).
'
0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎01-15-2004 03:12 AM

‎01-15-2004 03:12 AM

Re: openssh problem logging in with locked account

(in addition)

Ok, if you want this admin to live on his own -
don't setup publickey for this particular user but leave PasswordAuthentication enabled, this way 2 hosts will exchange host keys , create ssh-tunnel and admin user will run inside.'*' in /etc/password means the user can'd do login and I assume this 'admin' user lived on .rhost
files?Then you may try Rhosts(RSAA) Auth enabled (ssh1 only) and not use PasswordAuthentication...?
So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎01-15-2004 03:15 AM

‎01-15-2004 03:15 AM

Re: openssh problem logging in with locked account

(in addition again :)
run sshd on server side with -ddd option.Then connect (while * is in /etc/passwd) and collect the screen output (to see where and why sh fails).May be it fails on public key due to user directory permissions and then goes to /etc/password...

So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
Ken Penland_1
Trusted Contributor

‎01-15-2004 03:21 AM

‎01-15-2004 03:21 AM

Re: openssh problem logging in with locked account

no no no.....with F-secure, when it could resolve via public-keys, it never even checked password authentication.. thats why the adm user was able to get on the remote system without needing a password and while it was a locked account. With the lack of quick config change answers that I was hoping for, it is starting to look like OpenSSH does not have that ability, that even though it can successfully connect using public-key authentication, it still checks to make sure there is no problems with the account. This shouldnt be a show stopper for us using the product, we will just need to change all our "su only" accounts that need to ssh and set them with a password that no one knows.
'
0 Kudos
Reply
Ken Penland_1
Trusted Contributor

‎01-15-2004 03:29 AM

‎01-15-2004 03:29 AM

Re: openssh problem logging in with locked account

attached is the debug info...looks like it tries PAM first, fails, then publickey, suceeds, then PAM again?

'
0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎01-15-2004 03:30 AM

‎01-15-2004 03:30 AM

Re: openssh problem logging in with locked account

See the point. Maybe then it worth trying to
disable (sshd_config/ssh_config) all 'suspected' authentication types (PAM,Password)
as this may trigger /etc/password check?I think debugging (-ddd) output may show these and other activities.
So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎01-15-2004 04:00 AM

‎01-15-2004 04:00 AM

Re: openssh problem logging in with locked account

BTW,thats what I found in f-secure manual :

As of version 3.2.0, password expiration handling is supported. This feature forces the user to change an
expired password when logging into the system...

Don't know how to disable this feature :) Also
try to put in F-secure : Settings>Profile>Connection>Authentication>
Public Key before password in both windows.

So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.