HPE Community
Operating System - HP-UX
1833780 Members
2442 Online
110063 Solutions
New Discussion

Re: OpenSSH problems on HP-UX

 
Reggie Espinola
New Member

‎08-13-2002 03:19 PM

‎08-13-2002 03:19 PM

OpenSSH problems on HP-UX

We're currently running OpenSSH 3.1p1 on HP-UX 11.00. It was compiled with gcc and configured with pam, gssapi, krb5, and libwrap. Everything works fine including the kerberos v5 support. However, the password expiration code or the PAM support doesn't work properly. For example, if a user's password is expired or if a user's account is marked inactive it still allows them in via SSH.

We have tested HP's SSH release and it fixes this problem however the kerberos v5 breaks.

Has anyone expirienced any of these problems? Any help would be greatly appreciated. Thanks in advance.

Reg Espinola
0 Kudos
Reply
5 REPLIES 5
Andrew Cowan
Honored Contributor

‎08-13-2002 09:43 PM

‎08-13-2002 09:43 PM

Re: OpenSSH problems on HP-UX

Hi Reg,

I think that first of all you are using a very old version of OpenSSH, visit www.openssh.com (or mirror), and download v3.4.

It sounds as though the compiler switches you are using are incorrect, though I have to admit I have not tried expiring a user.

SSH uses the same PAM libraries as HP-UX so everything should work the same. I have not tried Kerberos, but again suspect you've got a problem with your compiler switches.

Good Luck,
Andrew
0 Kudos
Reply
Steve Steel
Honored Contributor

‎08-14-2002 12:44 AM

‎08-14-2002 12:44 AM

Re: OpenSSH problems on HP-UX

Hi

Go to www.software.hp.com

Select
internet and security solutions

There you can find and download

hp-ux secure shell

overview
HP-UX Secure Shell A.03.10.002

HP-UX Secure Shell A.03.10.002, based on OpenSSH 3.1p1, provides a secure channel for remote communication by transparently encrypting network traffic. HP-UX Secure Shell uses hashing to ensure data integrity and supports several authentication methods. HP-UX Secure Shell supports the SSH-1 and SSH-2 protocols and provides stronger security than the traditional ftp, remsh, telnet, and rcp services. HP-UX Secure Shell also includes tools for manually creating public and private keys, storing private keys, and gathering public keys.

Features and Benefits:

HP-UX Secure Shell provides the following features and benefits:

strong encryption
secure tunneling capabilities
supports several authentication schemes
Kerberos 4 and 5
PAM
public key
password
host
supports IPv6
fully tested HP product
support included with HP-UX Support Agreement
Product Documentation:

The HP-UX Secure Shell Release Notes are included with the software in /opt/ssh/ and contain quick-configuration steps. The Release Notes are made available online shortly after each release at www.docs.hp.com on the Internet and Security Solutions page.

Download or view the HP-UX Secure Shell Release Notes

Have a question about HP-UX Secure Shell? Look for answers in the HP-UX Secure Shell FAQs by searching the
IT Resource Center for keywords HP-UX Secure Shell Frequently Asked Questions (FAQs).

Date: 7/29/02


additional product information

product #: T1471AA
version: A.03.10.002
software specification: HP-UX 11i
HP-UX 11.0



Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎08-14-2002 12:50 AM

‎08-14-2002 12:50 AM

Re: OpenSSH problems on HP-UX

Download the proper HP version from www.software.hp.com - its works fine and is precompiled and supported by HP.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎08-14-2002 09:41 PM

‎08-14-2002 09:41 PM

Re: OpenSSH problems on HP-UX

I appreciate that HP provide some support for OpenSSH, but their version is quite a long way behind the current one from www.openssh.org. This means that there are a lot of exploits that are common knowledge by now, that you will be vulnerable to.
If you can spare the extra time, download the official version and compile it yourself. This is also better because you can tailor your binaries to enable or disable functions to suit your site.

Which ever way you decide to do it, read the manual pages thoroughly, and make sure that you understand how things work, BEFORE attempting to implement it. Once installed visit a security news site(s) and www.openssh.org, at least once a week, and keep an ey out for updates, and new exploits.

Security needs constant review and maintenace or it is useless. You wouldn't buy a condom with a hole in it, or food that's past its sell-by-date would you?
0 Kudos
Reply
Reggie Espinola
New Member

‎08-14-2002 10:58 PM

‎08-14-2002 10:58 PM

Re: OpenSSH problems on HP-UX

Thank you for all your suggestions. The switch used so that PAM support gets built into OpenSSH is "--with-pam". That is what the documentation states. The documentation also states that a pam control file should be installed as well (typically in /etc/pam.d on other OSes. Is this the same thing as the /etc/pam.conf file? The problem may be that simple and it just may be a configuration problem (control or configuration file problem).

The reason we can't use HP's version is that the installation paths used do not follow our standards and the kerberos v5 authentication does not work properly. We are not vulnerable to the latest security holes since certain settings have been disabled. Like I stated before, our version developed in house works perfectly fine except that it doesn't handle expired passwds and deactivated accounts properly. Steve, any chance the source for HP's OpenSSH is publicly available?

Any one have any other suggestions? Again, thanks for everyone's help.

Reg
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.